Hello everyone! I am brand new to Palo Altos and firewalls in general, so I'm sure I have made a couple obvious mistakes, but hope to learn. I have inherited a PA-220 that is now needed to be put in place between us and other connections (no internet). I have followed multiple tutorials, manuals, etc. to try and get this setup to work. The plan is to get the zones connecting and routing correctly, then tighten up security so only the approved things go through. Here's the proposed layout. Right now, I'm just trying to get the two test PCs on the 192.0 zone and the 10.50 zone to ping. I'll add in the 192.168 zone later when I get the first two working. Here's what I know: 1) The security policies are fine. I have tested them on a virtual wire version of the setup (with the two test PCs on one subnet) and the only thing I've changed is making the zones layer 3. 2) The test PCs can ping their interfaces, but no further. (e.g. 192.0.0.90 can ping 192.0.0.100 but NOT 10.50.75.100 or 75.90). 3) When using the console port, I can ping the interfaces from each other, but not any further out. (e.g. 192.0.0.100 can ping 10.50.75.100 but NOT 10.50.75.90). 4.) Also with console port, the interface can ping it's connected pc (e.g. 192.0.0.100 can ping 192.0.0.90). 5.) Traffic gets logged in the monitor for the pinging from the console port, but not from the PCs. It is almost as if the ping request goes to the interface and gets lost. Config: Interfaces: Ethernet1/5 - Layer 3, Management Profile allows Ping, IP Addy 192.0.0.100/24, VR default, tag untagged, vlan none, security zone 192 Ethernet1/6 - Layer 3, Management Profile allows Ping, IP Addy 10.50.75.100/24, VR default, tag untagged, vlan none, security zone 10 Zones: 192 - Layer 3, Interface ethernet1/5 10 - Layer 3, Interface 1/5 Security Policies To10 - Universal, Source Zone 192, Destination Zone 10, Source any, application default, action Allow Back4Test - Universal, Source Zone 10, Destination Zone 192, Source any, application default, action Allow Virtual Router - default Interfaces - ethernet1/5 and ethernet1/6 Static Routes: Default, destination 0.0.0.0/0, Interface ethernet1/6, Next Hop IP Address: 10.50.75.90, Admin default, metric 10, route table unicast. I have tried static routes for the destination subnets and have even put a switch on the 10.50 side to test if the next hop NEEDED to be a device that could complete the routing. I've also tried none for the next hop when I had just the computer there. I am hoping that I am just missing something tiny and simple, but I have no ideas at this point. Please help me fix this so I can stop going insane. Thanks in advance.
... View more