Hi there. I have a PA-200. Internal net is 192.168.0.0/24 eth1/2 , inside L3 interface (default gw) - 192.168.0.254 One external ip address is using for outside inteface, eth1/1. For connection to Internet I typically use pair inside-outside with: 1. NAT : dynamic-ip-and-port to outside interface address nat-rule 2. Security policy "allow from inside to outside , any dest address" Now, I need provide access for FTP-Server. I created DMZ interface eth1/3 - 172.16.0.254/24 FTP-Server is directly-connected to DMZ-port and has ip 172.16.0.1 For this scenario i created 1. NAT : bi-directional between FTP-Server and Outside . 2. Security policy for Outside and DMZ. What I can do as next step for provide connection between inside and DMZ? I create security policy allow inside-dmz (to 172.16.0.0/24) and dmz-inside (to 192.168.0.0/24) If i do ping 172.16.0.1 from 192.168.0.1 than i see that all packets are matching to first NAT-rule "inside to outside" and that is wrong way. What is wrong in my steps? How I can exclude traffic from "default "NAT-rule. Althought I tryed create no-nat rule than it do not work. Thank for help.
... View more
Good day! Who know and can help: Is scenario when it is working NGFW PA-220, LocalUser , GlobalProtect and Duo 2FA (without AD, RADIUS, LDAP etc.) for small users group (like 10 members vpn)? I believe in that very simple way, but didn't found out information about it, and configuration example. https://community.duo.com/t/paloalto-globalprotect-portal-with-duo-and-localuser-scenario-without-ad/6315 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-multi-factor-authentication.html https://help.duo.com/s/article/4254?language=en_US https://www.reddit.com/r/paloaltonetworks/comments/9uq5os/globalprotect_and_duo_native_mfa/ Thanks.
... View more