02-03-2025 11:45 AM
hi guys, i'm trying to set up a new Palo Alto firewall, a PA 440, for a customer. But they want minimal impact on their network and don't want to change anything, so i proposed setting up a vWire so they change nothing and can benefit from the inspection features of the new Palo box.
pretty much here's how it kinda looks like:
ISP Router --> Core Switch --> PA 440 --> Existing Firewall --> LAN
Following the official documentation, i set up 2 vWire interfaces with a zone for each and i create a policy to allow everything, with just antivirus and vulnerabilty profile activated, the idea being i'll tighten it later
but there is no connectivity to the internet: pings are not responsive and websites don't load. in the monitor logs, i see all requests are allowed, but they all say application is incomplete
what have i missed ?
02-04-2025 12:02 PM
Hello,
Most of the time when I see the application as 'unknown' its a connectivity issue. Also I would suggest putting the PAN between the existing firewall and the clients so you can see that traffic and build policies on it. Also make sure your policie(s) allow traffic in both directions.
02-25-2025 05:24 AM
just to give a quick update: in the end i added the VLAN tags to the vWire, and also had to create a Zone Protection Profile and set TCP Non-SYN Packet rejection to No. apparently it is an asymetric routing issue, see this kb for details: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
