External Connectivity Issue - Palo Alto 7.1.0
Moderator: mike
-
- Posts: 31
- Joined: Sun Sep 03, 2017 2:30 am
External Connectivity Issue - Palo Alto 7.1.0
I am having connectivity issues between my Palo Alto FW. I cannot ping the outside interface (eth1/2) which is connected to Cloud0 and I also cannot ping the inside LAN of my Win node. However if I run the command arp -a on Win machine I see the arp entry of the Palo Alto node IP address and Mac-address.
I am able to ping my the mgmt interface of the Palo Alto firewall from my local machine is connected to Cloud1 that is connected to a Vmnet2 interface on eve-ng vm as a host-only adapter.
I think this might have something to do with Promiscous Mode setting after reading following links:
https://live.paloaltonetworks.com/t5/VM ... ta-p/55969
https://www.forwardingflows.net/unetlab ... inux-host/
How can I fix the connectivity (pnet) issues when running the eve-ng vm in VMware Workstation on Windows10 host or do I need to edit the Qemu custom option on the Palo Alto node? -machine type=pc-1.0,accel=kvm -nographic -rtc base=utc
I am able to ping my the mgmt interface of the Palo Alto firewall from my local machine is connected to Cloud1 that is connected to a Vmnet2 interface on eve-ng vm as a host-only adapter.
I think this might have something to do with Promiscous Mode setting after reading following links:
https://live.paloaltonetworks.com/t5/VM ... ta-p/55969
https://www.forwardingflows.net/unetlab ... inux-host/
How can I fix the connectivity (pnet) issues when running the eve-ng vm in VMware Workstation on Windows10 host or do I need to edit the Qemu custom option on the Palo Alto node? -machine type=pc-1.0,accel=kvm -nographic -rtc base=utc
You do not have the required permissions to view the files attached to this post.
-
- Posts: 409
- Joined: Sun Mar 19, 2017 10:27 pm
Re: External Connectivity Issue - Palo Alto 7.1.0
You need to follow some diagnosis methods.
Palo Alto is FW, so by default it will deny all trafiic.
So can you please test this.
Lets do some tests.
1. From Internet (DSL) you able to ping 192.168.226.139 ? - YES / No
2. From Win PC you able to ping 192.168.1.10 YES /NO - If answer is NO - check Switch make sure all in in one VLAN.
3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ?
How to set promiscuous mode read below article.
https://www.petenetlive.com/KB/Article/0001276
Once all fixed, make one rule in Palo FW to allow Ping traffic inside and outside.
R!
Palo Alto is FW, so by default it will deny all trafiic.
So can you please test this.
Lets do some tests.
1. From Internet (DSL) you able to ping 192.168.226.139 ? - YES / No
2. From Win PC you able to ping 192.168.1.10 YES /NO - If answer is NO - check Switch make sure all in in one VLAN.
3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ?
How to set promiscuous mode read below article.
https://www.petenetlive.com/KB/Article/0001276
Once all fixed, make one rule in Palo FW to allow Ping traffic inside and outside.
R!
-
- Posts: 31
- Joined: Sun Sep 03, 2017 2:30 am
Re: External Connectivity Issue - Palo Alto 7.1.0
1. From Internet (DSL) you able to ping 192.168.226.139 ? - No, I am not able to ping. The Internet cloud in the topology is Cloud0 (Vmnet8) on my local machine.
2. From Win PC you able to ping 192.168.1.10 -NO - and yes they all in in one VLAN. I have no configuration on the switch at all just using Layer2.
3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ? I am using VMWare workstation 12 with Vmnet2 adapter which has IP address of 192.168.62.1 and Palo Alto Mgmt IP is 192.168.62.10. I can ping between these two IPs.
I will read the article about the promiscuous mode and see if that helps. I think because i am not familiar with Linux is part of my problem and I am just trying to learn Palo Alto for the first time so will have to find out how to allow Ping traffic inside and outside.
2. From Win PC you able to ping 192.168.1.10 -NO - and yes they all in in one VLAN. I have no configuration on the switch at all just using Layer2.
3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ? I am using VMWare workstation 12 with Vmnet2 adapter which has IP address of 192.168.62.1 and Palo Alto Mgmt IP is 192.168.62.10. I can ping between these two IPs.
I will read the article about the promiscuous mode and see if that helps. I think because i am not familiar with Linux is part of my problem and I am just trying to learn Palo Alto for the first time so will have to find out how to allow Ping traffic inside and outside.
-
- Posts: 31
- Joined: Sun Sep 03, 2017 2:30 am
Re: External Connectivity Issue - Palo Alto 7.1.0
I read the link about promiscuous mode but it was related ESX and not VMWare workstation 12 which i am using.
-
- Posts: 409
- Joined: Sun Mar 19, 2017 10:27 pm
-
- Posts: 533
- Joined: Wed Mar 15, 2017 1:54 pm
Re: External Connectivity Issue - Palo Alto 7.1.0
On vmware , each adapter assigned to EVE will be used by pnet interface ( in UI Cloud interface )
Vmware purpose mainly 2 modes
bridged
nated
Be sure to use bridge mode for internet connection
E.
Vmware purpose mainly 2 modes
bridged
nated
Be sure to use bridge mode for internet connection
E.
-
- Posts: 31
- Joined: Sun Sep 03, 2017 2:30 am
Re: External Connectivity Issue - Palo Alto 7.1.0
@ecze not sure if you saw topology but I have the Palo Alto interface connected to my Cloud0 interface which i am able to obtain a DCHP address but i cannot ping the Palo Alto interface from my local machine. If I connect a Cisco switch or router to Cloud0 interface I can ping the internet from these devices. Also, the inside LAN of the Palo Alto is connect to a windows 7 node which I cannot ping between the two devices but i figure this must be the Palo Alto block ICMP traffic because i can see the IP and MAC address of the Palo Alto interface on the windows machine when i run the arp -a command from command prompt. I have no problem ping the mgmt interface of Palo Alto device from my local machine though which is connected to Cloud1 (pnet1). Hope this makes sense. I am new eve-ng and Palo alto so taking me some time to understand.
-
- Posts: 31
- Joined: Sun Sep 03, 2017 2:30 am
Re: External Connectivity Issue - Palo Alto 7.1.0
Ok after watching another video I got this to work. @ecze I think i now understand what you meant when you said "each adapter assigned to EVE will be used by pnet interface ( in UI Cloud interface )
Vmware purpose mainly 2 modes
bridged
nated
Be sure to use bridge mode for internet connection"
I connected my Palo Alto mgmt and eth1/1 interface to my Net cloud0 interface and Palo Alto eth1/2 to my windows 7 machine. I assigned an IP address on Palo Alto device managment in same subnet as vmnet8 NAT interface (cloud0). I have Palo Alto adapters eth1/1 and 1/2 deployed as Layer2 type and created security policy rule to allow any source/destination from security zone inside and outside. My windows7 machine now gets an IP address in the same subnet as my vmnet8 interface and i can ping the internet from the pc. Not sure if this the safest way to do this but following a video training series so I instructor will probably guide on how to setup using interfaces as Layer3 types.
Thanks all for the help!!
Vmware purpose mainly 2 modes
bridged
nated
Be sure to use bridge mode for internet connection"
I connected my Palo Alto mgmt and eth1/1 interface to my Net cloud0 interface and Palo Alto eth1/2 to my windows 7 machine. I assigned an IP address on Palo Alto device managment in same subnet as vmnet8 NAT interface (cloud0). I have Palo Alto adapters eth1/1 and 1/2 deployed as Layer2 type and created security policy rule to allow any source/destination from security zone inside and outside. My windows7 machine now gets an IP address in the same subnet as my vmnet8 interface and i can ping the internet from the pc. Not sure if this the safest way to do this but following a video training series so I instructor will probably guide on how to setup using interfaces as Layer3 types.
Thanks all for the help!!
-
- Posts: 79
- Joined: Wed May 10, 2017 12:11 pm
- Contact:
Re: External Connectivity Issue - Palo Alto 7.1.0
Hi
Do we need Palo Alto VM licences or trial licenses to setup a proper Palo Alto LAB on EVE-NG?
I believe traffic does not pass if Palo Alto VM is not licenced.
Please let me know how you got the Palo Alo working properly.
Mathew
Do we need Palo Alto VM licences or trial licenses to setup a proper Palo Alto LAB on EVE-NG?
I believe traffic does not pass if Palo Alto VM is not licenced.
Please let me know how you got the Palo Alo working properly.
Mathew