Me again. I can to ping the untrust zone or ethernet 1/2(192.168.120.21) from the linux machine. but when I try to ping the trust zone (172.16.10.2) the linux console show the following message " Time to live exceded " Change ip the linux pc from 192.168.120.9 to 172.16.10.20 and try to ping the untrust zone or trust zone and the result is failed. And try to access to internet from the linux pc, and fail. So I do not know if I'm missing some configuration in the firewall or in my vsphere. This is the config running admin@fw01> show config running config { mgt-config { users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } } } shared { application; application-group; service; service-group; botnet { configuration { http { dynamic-dns { enabled yes; threshold 5; } malware-sites { enabled yes; threshold 5; } recent-domains { enabled yes; threshold 5; } ip-domains { enabled yes; threshold 10; } executables-from-unknown-sites { enabled yes; threshold 5; } } other-applications { irc yes; } unknown-applications { unknown-tcp { destinations-per-hour 10; sessions-per-hour 10; session-length { maximum-bytes 100; minimum-bytes 50; } } unknown-udp { destinations-per-hour 10; sessions-per-hour 10; session-length { maximum-bytes 100; minimum-bytes 50; } } } } report { topn 100; scheduled yes; } } } devices { localhost.localdomain { network { interface { ethernet { ethernet1/1 { layer3 { ipv6 { neighbor-discovery { router-advertisement { enable no; } } } ndp-proxy { enabled no; } ip { 172.16.10.2; } lldp { enable no; } interface-management-profile "mgm profile"; } comment trust; } ethernet1/2 { layer3 { ipv6 { neighbor-discovery { router-advertisement { enable no; } } } ndp-proxy { enabled no; } ip { 192.168.120.21; } lldp { enable no; } interface-management-profile "mgm profile"; } comment untrust; } } } profiles { monitor-profile { default { interval 3; threshold 5; action wait-recover; } } interface-management-profile { "mgm profile" { https yes; ssh yes; ping yes; } } } ike { crypto-profiles { ike-crypto-profiles { default { encryption [ aes-128-cbc 3des]; hash sha1; dh-group group2; lifetime { hours 8; } } Suite-B-GCM-128 { encryption aes-128-cbc; hash sha256; dh-group group19; lifetime { hours 8; } } Suite-B-GCM-256 { encryption aes-256-cbc; hash sha384; dh-group group20; lifetime { hours 8; } } } ipsec-crypto-profiles { default { esp { encryption [ aes-128-cbc 3des]; authentication sha1; } dh-group group2; lifetime { hours 1; } } Suite-B-GCM-128 { esp { encryption aes-128-gcm; authentication none; } dh-group group19; lifetime { hours 1; } } Suite-B-GCM-256 { esp { encryption aes-256-gcm; authentication none; } dh-group group20; lifetime { hours 1; } } } global-protect-app-crypto-profiles { default { encryption aes-128-cbc; authentication sha1; } } } } qos { profile { default { class { class1 { priority real-time; } class2 { priority high; } class3 { priority high; } class4 { priority medium; } class5 { priority medium; } class6 { priority low; } class7 { priority low; } class8 { priority low; } } } } } virtual-router { default { protocol { bgp { enable no; dampening-profile { default { cutoff 1.25; reuse 0.5; max-hold-time 900; decay-half-life-reachable 300; decay-half-life-unreachable 900; enable yes; } } routing-options { graceful-restart { enable yes; } } } } interface [ ethernet1/1 ethernet1/2]; ecmp { algorithm { ip-modulo; } } routing-table { ip { static-route { default-gateway { nexthop { ip-address 192.168.120.1; } bfd { profile None; } interface ethernet1/2; metric 10; destination 0.0.0.0/0; } intranet { nexthop { ip-address 0.0.0.0; } bfd { profile None; } interface ethernet1/2; metric 10; destination 192.168.120.0/24; } } } } } } } deviceconfig { system { ip-address 192.168.120.20; netmask 255.255.255.0; update-server updates.paloaltonetworks.com; update-schedule { threats { recurring { weekly { day-of-week wednesday; at 01:02; action download-only; } } } } timezone US/Pacific; service { disable-telnet yes; disable-http yes; } hostname fw01; default-gateway 192.168.120.1; dns-setting { servers { primary 8.8.8.8; secondary 200.91.75.5; } } } setting { config { rematch yes; } management { hostname-type-in-syslog FQDN; } auto-mac-detect yes; } } vsys { vsys1 { application; application-group; zone { trust { network { layer3 ethernet1/1; } } untrust { network { layer3 ethernet1/2; } } } service; service-group; schedule; rulebase { security { rules { "allow access to internet" { to untrust; from trust; source any; destination any; source-user any; category any; application any; service any; hip-profiles any; action allow; } "allow access" { to trust; from untrust; source any; destination any; source-user any; category any; application any; service any; hip-profiles any; action allow; } } } nat { rules; } default-security-rules { rules { intrazone-default { action allow; log-start no; log-end yes; } } } } import { network { interface [ ethernet1/1 ethernet1/2]; } } } } } } } admin@fw01>
... View more
