We recently purchase pa3020s for mainly application control reason and put them behind cisco ASAs. I set up trust-to -untrust policy which applies to outbound internet traffic. I denied unwanted apps and allowed rest using user group mapping. that is all working fine and users can access internet with no problem..
well, last week, I tried to do the same to default untrust-to-trust policy to the Inbound traffic. I created a policy that allowed the DMZ and remote VPN traffic coming through the ASA and I changed the default untrust -to-trust policy from allow to deny. The result was internet access stopped. No one could access Internet and I had to back the change out.
My thinking was that this a state full firewall and for any outbound traffic, the return traffic should pass through if it matches a established session. is this not right with PA firewall? do they do statefull inspection or not?
Palo Alto is statefull by default.Do you have 1 cisco ASA or 2 cisco ASAs on that topology.
Are they active passive or active active ?
You should examine the logs related to the clients so that you will see what happened during that config.
Are the PANFWs in Layer3 mode or in vwire mode?
Can you attach the sceenshot of the untrust to trust rule on the PANFW
Thanks and best regards,
I have 2 ASA active/standby same as PAs. PAs are in vwire mode. let me try it again and I check logs closely or post them here.
Thank you all for the input.
NickySorot, As was stated before, All Palo Alto Networks firewalls are stateful by default.
If you require something specific, please let us know.
ok thanks. can you share document link to proof that this is statefull.
one more question: can we assign multiple segment on one interface.
ex: 192.168.1.0 to 192.168.1.32
192.168.1.33 to 192.168.1.64
The information that you are looking for can be found on this link,
Nicky, the link was posted about being stateful.
as far as the multiple segments. You can place as many IP addresses as you want to an interface.
It looks like you want a "range".. do you mind if I ask why you are wanting to do that? For what purpose? NAT?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!