About pulukas

As rmfalconer notes, you also need to assign the redistribution profile to OSPF for it to become active.  Without both steps the local static route will not be redistributed to the rest of the OSPF infrastructure for the return path.   ... View more

In the OSPF configuration, do you have the redistribution rule setup to pull in the static route pointed to the remote site vpn and distribute it down to your "corp" lan for the return path.   ... View more

The lifetime values really should be the same.  You should ask the other side if they are able to set something that is available on the PAN.   Tunnels do sometimes work with different lifetimes set.  But the operations can be inconsistent and have problems like suddently stop passing traffic when one side or the other lifetime expires.   ... View more

There are a few considerations in getting this to work.  You will need to consider both tunnel directions for the traffic routing and make sure the routes installed on both sides do what you wish and that the vpn itself will accept the traffic.   On the routing, the question will be what direction is the traffic initiated.  Are you taking a public address on side A and forwarding requests to this address to a server on site B.  Or are you taking outbound traffic from site B and forwarding this to use the ISP outbound on site A.  For both cases you need to expand the policies inplace at site A and B to allow the traffic flow in the correct direction of initiation of session.   For inbound traffic site A to site B you can set a normal fowarding rule to the address on the existing VPN.  Then add a source nat rule to an address on site A already covered in the VPN.  This won't require any VPN changes and the return traffic will work using the existing tunnel as is.   For the second case you would need to make sure the outbound web addresses on site B point to the tunnel interface of  a route based VPN. You should use the open proxy-id on this vpn if at all possible.  If not the proxy-id pairs need to expand to include these public addresses as part of the tunnel. On site A you will need to be sure the outbound source nat rule will cover the address range coming from site B going out that ISP.   ... View more

If the subnet is in the local routing table we can distribute it via a bgp peer.  Is this iBGP or eBGP What is the current redsitribution rules you have on the peering? Where do you see the route learned and where is it missing?   ... View more

The basic setup instructions are outlined in this document.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS0CAK   But the one thing to bear in mind is that you can only control the egress traffic.  And on internet links frequently the issue will be with the ingress traffic being what is overwhelming the pipe.  So while this helps, it won't solve all capacity issues.   ... View more

This is a typical service provider setup expecting a packet based router as the customer device on the site.  The second range would be on the router interface that connects then to the customer firewall (PAN) using that on the WAN firewall port.   As noted the second range is routed to the first ip address.   So you should be able to use the full routed /29 as dnat or snat addresses on the PAN using the first /30 as you are.  And your snat test does validate this.   So there is an error in your security or NAT policy on the PAN.  Verified by the lack of hits with your known traffic.  I would start by confirming the zone to zone assignment for the addresses involved.   ... View more

Yes, that seems to be correct.   What is the less strict address object?   And what does the session logs show for the unexpectedly permitted traffic in the details?   ... View more

What you have there now looks good.  I assume there is also a security policy from trust to untrust allowing the internet access.   If you have a computer you can plug into the service port instead of the PAN and manually configure this information on the NIC. WAN IP:  80.80.169.16/25  (x.x.x.16 is mapped ... on the ISP side...to the PA 220 mac address)  GW:  80.80.169.1   PDNS:  80.80.160.8 SDN:  80.80.160.9   Then test with your ISP.  This removes the firewall from the path and the computer connected on this WAN address should have full internet access.    You mention the ISP is doing mac address locks.  So to do this test they would have to release that and allow the address to be used by the computer.   This will confirm whether the issue is some configuration on the PAN or the service itself not allowing full access.   ... View more

WAN 80.80.169.1 WAN GW 80.80.169.16/30  WAN Range P DNS 80.80.160.8 S DNS 80.80.160.9   Are they sure this is correct?  I would expect your gateway to be 80.80.169.17 and the PAN interface 80.80.169.18 since the interface subnet is a 80.80.169.16/30   ... View more

You can't route the same subnet between two virtual routers.  Both will see the subnet as local.   So if you have two interfaces with the same subnet in different VR you would be using NAT to get them to communicate.  And at that point you can go ahead and do the same thing back in the main VR to start with.   Typically I see this request for a server with the same public address as the untrust of the firewall from voice or other applications that don't want any nat applied to their sessions.   ... View more

Yes, in that configuration the server and the external interface will be in the same vlan and broadcast domain so they will respond to arp requests normally.   ... View more

It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces.  This would not be possible to commit on the PAN.   The nat options above are to use an internal subnet on the server side and then nat/proxy arp to connect the ip.   Your other option if you need to keep that public ip on the server is to put two physical interfaces into that external facing subnet and zone with one for the upstream connection and the other for the server.    For this you would move the layer 3 address to a vlan interface and the configure two layer 2 interfaces associated with that vlan.   Here then the server is directly attached to that subnet and your policy controls are then untrust to untrust policies since the server will also be in that same zone.   ... View more

The deployment model is not different for hyper converged versus standard vsphere deployments.  The two main modes are deploying a vm series per host or a vm series per virtual network on the host.  These are described here in the documentation.   https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-a-vm-series-firewall-on-an-esxi-server/supported-deployments-on-vmware-vsphere-hypervisor-esxi   ... View more