- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-07-2024 01:42 PM
I'm trying to set up a PA-820 from scratch, but would like to update and set up rules before placing it on top of our network. Currently it is set up as a DHCP client, parallel to our office router, connected upstream to a Charter AP and modem (for some reason, this is the only way they'll give us a static IP and a high speed connection to the internet). The AP is the gateway with an IP of 192.168.1.1, which I can ping from the DHCP assigned IP of 192.168.1.53 from the management interface, which I changed to 192.168.0.2. However, I can't ping anything else above that. Attached are the interfaces and security rules. Can anyone take a look at this and help?
show interface all
total configured hardware interfaces: 5
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up 60:15:2b:67:14:10
ethernet1/2 17 ukn/ukn/down(autoneg) 60:15:2b:67:14:11
ethernet1/3 18 ukn/ukn/down(autoneg) 60:15:2b:67:14:12
dedicated-ha1 5 ukn/ukn/ukn(autoneg) 60:15:2b:67:14:05
dedicated-ha2 6 ukn/ukn/down(autoneg) 60:15:2b:67:14:06
aggregation groups: 0
total configured logical interfaces: 5
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 Untrusted vr:default 0 192.168.1.53/24
ethernet1/2 17 1 Trusted-Office vr:default 0 10.0.0.1/24
ethernet1/3 18 1 Guest Network to vr:default 0 10.0.2.1/24
dedicated-ha1 5 1 ha 0 N/A
dedicated-ha2 6 1 ha 0 N/A
admin@OfficeFW> show rulebase security rules
Invalid syntax.
admin@OfficeFW> configure
Entering configuration mode
[edit]
admin@OfficeFW# show rulebase security rules
rules {
"Allow out" {
profile-setting {
group default;
}
to Untrusted;
from Trusted-Office;
source any;
destination any;
source-user any;
category any;
application any;
service any;
source-hip any;
destination-hip any;
action allow;
log-setting default;
rule-type interzone;
}
}
[edit]
admin@OfficeFW# show routing route
Invalid syntax.
[edit]
admin@OfficeFW# exit
Exiting configuration mode
admin@OfficeFW> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 0.0.0.0 10 A S ethernet1/1
192.168.1.0/24 192.168.1.53 0 A C ethernet1/1
192.168.1.53/32 0.0.0.0 0 A H
total routes shown: 3
admin@OfficeFW> admin@OfficeFW> show interface all
Unknown command: admin@OfficeFW>
------------------------------------------------
ethernet1/1 16 1000/full/uadmin@OfficeFW> p 60:15:2b:67:14:10
ethernet1/2 17 ukn/ukn/down(autoneg) 60:15:2b:67:14:11
ethernet1/3 18 ukn/ukn/down(autoneg)
5 ukn/ukn/ukn(autoneg) 60:15:2b:67:14:05
dedicated-ha2 6 ukadmin@OfficeFW> n/ukn/down(autoneg) 60:15:2b:67:14:06
aggregation groups: 0
total configured logical interfaces: 5
admin@OfficeFW> total configured hardware interfaces: 5
Unknown command: total
192.168.1.53/24
ethernet1/2 17 1 Trusted-Office vr:default 0 admin@OfficeFW> 10.0.0.1/24
ethernet1/3 18 1 Guest Network to vr:default 0 10.0.2.1/24
dedicated-ha1 5 1
ha 0 N/A
dedicated-ha2 6 1 admin@OfficeFW> ha 0 N/A
02-07-2024 11:40 PM
Hello @Altais
Please share connectivity diagram if possible. This will give more clarity.
Also, one query - why did you changed IP to 192.168.0.x ? Because, I understand that you have AP modem network as 192.168.1.x.
02-08-2024 12:24 PM - edited 02-08-2024 12:25 PM
You'll probably need to NAT to your internal IP space to the external IP assigned by the the wifi modem using an interface NAT. The cable modem most likely does not know how to return/route the 10.x.x.x or 192.168.0.0/24 network traffic back to the firewall.
If you can get into the cable modem, you can add static routes on the modem to your subnets behind the firewall directly to avoid the NAT.
02-08-2024 12:56 PM
Hello,
Are you sourcing your ping from the management interface? What does the logs show? Most likely causes:
1. Security policy incorrect
2. Nat policy incorrect
3. Missing routes in virtual router.
Setting all policies to log at session end should allow you to see all the traffic the data plane sees, allowed and denied.
Regards,
02-08-2024 01:17 PM
Just going to back things off a bit and ask a rather simple question that I'm not seeing, but how are you expecting your MGMT connection to be able to access anything but your laptop when it's directly plugged in? There's nothing in your diagram showing where your MGMT connection is actually plugged into anything, outside of the fact that I'm assuming you have it plugged into your laptop.
Your cable modem isn't going to know how to route traffic to a random 192.168.0.1 client if it doesn't have a route to it, but you're also kind of overcomplicating things with this setup. I personally wouldn't recommend giving your MGMT connection a 182.168.1.0/24 address if you're treating this as your untrust zone. You could pop it into your trust zone and just have it restricted via permitted-ip if you want, or you could just put it in it's own dedicated MGMT zone if you wanted to go that route as well. Nothing that you've included in your post (unless I glanced over it) shows that your cable modem or your PA-820 would have any idea how to route that 192.168.0.1 address however.
What's likely happening because of this is that your PA-850 is following your default route to the cable modem, and your cable modem not having a route sends that out it's default gateway off to Charter. Therefore nothing you're doing from a policy standpoint really matters here, your PA-850 isn't routing the traffic properly.
02-09-2024 12:51 PM
Thanks guys! I think BPry is probably the closest one to the solution, since I can see packets coming in and packets going out, but they're all aging out. What I'm still unclear on, is if software/definition updates can only come in through the management interface, or any interface linked to an appropriate management profile?
02-09-2024 12:56 PM
Take a look at service routes HERE if you want to utilize a dataplane interface instead of the management interface. You don't need to utilize the management interface if you don't want to. You can utilize interface management profiles and service routes if you just want to disconnect your MGMT port completely.
Just keep in mind that if you're going to utilize an interface-management-profile and enable management from a dataplane interface, you want to ensure it's properly secured either by security policy or better through permitted-ip assigned to the profile.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!