09-15-2025 09:06 PM
We are working with a client who has a network setup where a Palo Alto firewall is connected to a Check Point firewall. The client reports that they are unable to ping the IP address of the Palo Alto firewall's interface ethernet1/8.
Initial Test Between Firewalls:
The Palo Alto firewall is connected to the Check Point firewall via interface ethernet1/8 (on Palo Alto) to ethernet1/13 (on Check Point).
We are unable to ping the Palo Alto interface IP (ethernet1/8) from the Check Point firewall.
However, traffic is confirmed to be flowing through this interface (via monitoring/logs), indicating Layer 2/3 connectivity is at least partially functional.
Direct Laptop Connection for Testing:
A laptop was connected directly to the Palo Alto ethernet1/8 interface and configured with an IP in the same subnet.
The laptop was unable to ping the interface IP of ethernet1/8.
Check Point Verification:
The same laptop was then connected to the Check Point interface ethernet1/13 and could successfully ping the Check Point firewall IP, confirming the laptop’s configuration and connectivity are fine.
This suggests the issue lies with the Palo Alto firewall interface, not the cabling or endpoint.
Testing with Alternate Interface:
We assigned a new subnet to a different Palo Alto interface (ethernet1/5) and connected the laptop directly.
The result was the same – the interface was not responding to pings, despite being up and assigned a valid IP.
Ping response (Management Profile) is enabled on both interfaces (ethernet1/8 and ethernet1/5) as confirmed in the Palo Alto configuration.
Physical interfaces are up, and traffic is observed as passing on ethernet1/8 toward the Check Point firewall.
The issue is not related to routing, as the laptop is in the same subnet and connected directly.
We suspect there may be additional, unreported configuration changes made by the client (possibly security rules or zones affecting ICMP traffic) which are impacting the expected behavior. However, we currently do not have visibility into the full policy or security rulebase applied.
Has anyone encountered a similar issue where Palo Alto interfaces are up and passing traffic but do not respond to pings even with ping enabled?
Any suggestions on commands or logs we can check (e.g., debug, flow basic, etc.) to help isolate this issue further?
BR
zhd
09-16-2025 02:41 AM
Hi @jahidur27 ,
Is ping allowed by security policy ?
The default security policy allows all traffic within the same zone (intrazone-default rule) but drops all traffic between different zones (interzone-default rule). Therefore, a ping from a directly connected laptop to a firewall interface should be allowed by default.
However, this access will be blocked if you have a custom "deny all" rule placed above the default intrazone-default rule. This more restrictive posture ensures only explicitly permitted intra-zone traffic can flow, but it also renders the default rule ineffective.
Hope this helps,
Kind regards,
-Kim.
09-16-2025 04:23 AM
we checked that we didn''t create any custom "deny all" rule placed above the default intrazone-default rule.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
