Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
- last edited on by
icharkashy
I am setting up a very simple PA200 implementation and all I need at this stage is to be able to contact the Palo update server to update the PanOS. I have the FW plugged in directly from ethernet1/1 to the modem (subnet 192.168.0.1). The gateway is pingable. My machine is connected to the the management interface (172.16.30.35). I have virtual router configured to send all traffic (0.0.0.0/0) out of ethernet1/1. I have an any/any security policy set. I have a NAT rule (I suspect this is the problem) configured to translate the networks to each other (at least that's my intention). I know the issue is something simple but I can't get past it. Any help would be appreciated.
So currently probably the firewall or at least the default-vr has internet access but not your management interface as this one is conected to your computer. The route table of the management plane is completely separated from other dataplane configurations (all the actual firewallinterfaces). In a default configuration the firewall tries to reach everything from the management interface which means the firewalls tries to download updates for example over your computer. I see now two possiblities
In your situation I propose to use possibility 2 and change the sourceinterface for the services that require internet access. If you do this, then a firewallpolicy is required to allow that traffic but as you already have an any-any-allow rule this shouldn't be a problem.
Thanks for your help. I have updated the NAT statement as such. I'm still not getting internet connectivity, though. What other information do you need for us to continue troubleshooting?
Thanks for pointing that out. I have made that correction as well.
This is my NAT.
If still not working then try changing the service route for updates to ethernet1/1... if that works then perhaps an issue before it hits the NAT policy...
If NAT and MGT addresses are correctly populated and ruled out, could it be more basic?
Are you able to verify that you've given the MGT server a reachable DNS server?
Hi. Here is the route table. 192.168.0.43 is the DHCP address of the FW.
My device is at PanOS 8.1.6 so it doesn't have the troubleshooting tools mentioned above.
No, MGT cannot reach a DNS server. I have manually set it to 8.8.8.8 and 9.9.9.9. DNS is pingable from ethernet1/1 but not from MGT
@Mick_Ball Thanks again for your help. Yes, 172.16.30.1/24 is on the trusted interface of the firewall and a member of the same virtual router.
I believe that's my problem; the management interface cannot see the trusted interface.
So currently probably the firewall or at least the default-vr has internet access but not your management interface as this one is conected to your computer. The route table of the management plane is completely separated from other dataplane configurations (all the actual firewallinterfaces). In a default configuration the firewall tries to reach everything from the management interface which means the firewalls tries to download updates for example over your computer. I see now two possiblities
In your situation I propose to use possibility 2 and change the sourceinterface for the services that require internet access. If you do this, then a firewallpolicy is required to allow that traffic but as you already have an any-any-allow rule this shouldn't be a problem.
Thanks for your help. I've added loopback.1 (192.168.0.1/32) to the desired service route but I'm still unable to access the updates server. I tried the other method as well without success.
