This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Druke
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Druke
4Posts
0Likes
0Solutions
Last Visited
User
Activity
User
Profile
Latest posts by Druke
| Subject | Views | Posted |
|---|---|---|
| 6392 | 11-22-2019 02:04 PM | |
| 6414 | 11-22-2019 10:52 AM | |
| 6437 | 11-22-2019 06:39 AM | |
| 6493 | 11-21-2019 01:32 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 11-21-2019 12:14 PM |
| Date Last Visited | |
| Posts | 4 |
11-22-2019
02:04 PM
@ddelcourt Thank you sir! Don't worry, no offense is taken. You were correct, the dumb question was the right one to ask. The test PCs did not have the firewall interface as the default gateway. It's always the simple, stupid thing. I am kicking myself a little bit, but more than that, I'm happy it's fixed! Thanks again, all! Now to secure it!
... View more
11-22-2019
10:52 AM
Hello again, Thanks for the confirmation about the NAT. I got rid of it again. The static route back to 192.0... I've tried both ways actually. With a route back and without. I just put in the route exactly as you specified, with no change. One thing I am noticing, which is starting to raise some red flags for me, is when I look at the routing table, both static routes are listed as Static only. They are NOT active. There ARE two routes that are listed as Active and Connect, and they are taking the same subnets with a next hop of .100...the interface addresses. Edit for the following picture add
... View more
11-22-2019
06:39 AM
Hello @OtakarKlier and thanks for the quick reply! To answer your comments: 1) In the actions section of the security policy, I have them both set to log at the start and the end (overkill, but being as frazzled by this as I have been, I didn't want to leave anything to chance). 2) I neglected to put that in my config, but yes, both interfaces have the ping enabled for the management profile. 3) Can you please expound upon the sending traffic out the correct interfaces? I set a default (0.0.0.0/0) static route egress interface set to the correct interface (ethernet1/6 as that's where the 10.50 net is plugged). I have also tried doing the same with two static routes that specifically specify the 192 subnet (interface ethernet1/5) and the 10.50 subnet (interface ethernet1/6). Is there more I need to do in that regard? Also, quick update for all, I've been experimenting with bi-directional source NAT to see if that would help. It has not as of yet. Thanks again!
... View more
11-21-2019
01:32 PM
Hello everyone! I am brand new to Palo Altos and firewalls in general, so I'm sure I have made a couple obvious mistakes, but hope to learn. I have inherited a PA-220 that is now needed to be put in place between us and other connections (no internet). I have followed multiple tutorials, manuals, etc. to try and get this setup to work. The plan is to get the zones connecting and routing correctly, then tighten up security so only the approved things go through. Here's the proposed layout. Right now, I'm just trying to get the two test PCs on the 192.0 zone and the 10.50 zone to ping. I'll add in the 192.168 zone later when I get the first two working. Here's what I know: 1) The security policies are fine. I have tested them on a virtual wire version of the setup (with the two test PCs on one subnet) and the only thing I've changed is making the zones layer 3. 2) The test PCs can ping their interfaces, but no further. (e.g. 192.0.0.90 can ping 192.0.0.100 but NOT 10.50.75.100 or 75.90). 3) When using the console port, I can ping the interfaces from each other, but not any further out. (e.g. 192.0.0.100 can ping 10.50.75.100 but NOT 10.50.75.90). 4.) Also with console port, the interface can ping it's connected pc (e.g. 192.0.0.100 can ping 192.0.0.90). 5.) Traffic gets logged in the monitor for the pinging from the console port, but not from the PCs. It is almost as if the ping request goes to the interface and gets lost. Config: Interfaces: Ethernet1/5 - Layer 3, Management Profile allows Ping, IP Addy 192.0.0.100/24, VR default, tag untagged, vlan none, security zone 192 Ethernet1/6 - Layer 3, Management Profile allows Ping, IP Addy 10.50.75.100/24, VR default, tag untagged, vlan none, security zone 10 Zones: 192 - Layer 3, Interface ethernet1/5 10 - Layer 3, Interface 1/5 Security Policies To10 - Universal, Source Zone 192, Destination Zone 10, Source any, application default, action Allow Back4Test - Universal, Source Zone 10, Destination Zone 192, Source any, application default, action Allow Virtual Router - default Interfaces - ethernet1/5 and ethernet1/6 Static Routes: Default, destination 0.0.0.0/0, Interface ethernet1/6, Next Hop IP Address: 10.50.75.90, Admin default, metric 10, route table unicast. I have tried static routes for the destination subnets and have even put a switch on the 10.50 side to test if the next hop NEEDED to be a device that could complete the routing. I've also tried none for the next hop when I had just the computer there. I am hoping that I am just missing something tiny and simple, but I have no ideas at this point. Please help me fix this so I can stop going insane. Thanks in advance.
... View more
Contact Me
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks