External Connectivity Issue - Palo Alto 7.1.0

Before posting something, READ the changelog, WATCH the videos, howto and provide following:
Your install is: Bare metal, ESXi, what CPU model, RAM, HD, what EVE version you have, output of the uname -a and any other info that might help us faster.

Moderator: mike

Post Reply
KevBonz
Posts: 31
Joined: Sun Sep 03, 2017 2:30 am

External Connectivity Issue - Palo Alto 7.1.0

Post by KevBonz » Thu Sep 21, 2017 7:34 pm

I am having connectivity issues between my Palo Alto FW. I cannot ping the outside interface (eth1/2) which is connected to Cloud0 and I also cannot ping the inside LAN of my Win node. However if I run the command arp -a on Win machine I see the arp entry of the Palo Alto node IP address and Mac-address.

I am able to ping my the mgmt interface of the Palo Alto firewall from my local machine is connected to Cloud1 that is connected to a Vmnet2 interface on eve-ng vm as a host-only adapter.

I think this might have something to do with Promiscous Mode setting after reading following links:

https://live.paloaltonetworks.com/t5/VM ... ta-p/55969

https://www.forwardingflows.net/unetlab ... inux-host/


How can I fix the connectivity (pnet) issues when running the eve-ng vm in VMware Workstation on Windows10 host or do I need to edit the Qemu custom option on the Palo Alto node? -machine type=pc-1.0,accel=kvm -nographic -rtc base=utc
You do not have the required permissions to view the files attached to this post.

ramindia
Posts: 409
Joined: Sun Mar 19, 2017 10:27 pm

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by ramindia » Fri Sep 22, 2017 5:34 am

You need to follow some diagnosis methods.

Palo Alto is FW, so by default it will deny all trafiic.

So can you please test this.

Lets do some tests.

1. From Internet (DSL) you able to ping 192.168.226.139 ? - YES / No
2. From Win PC you able to ping 192.168.1.10 YES /NO - If answer is NO - check Switch make sure all in in one VLAN.
3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ?

How to set promiscuous mode read below article.

https://www.petenetlive.com/KB/Article/0001276

Once all fixed, make one rule in Palo FW to allow Ping traffic inside and outside.

R!

KevBonz
Posts: 31
Joined: Sun Sep 03, 2017 2:30 am

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by KevBonz » Fri Sep 22, 2017 5:32 pm

1. From Internet (DSL) you able to ping 192.168.226.139 ? - No, I am not able to ping. The Internet cloud in the topology is Cloud0 (Vmnet8) on my local machine.

2. From Win PC you able to ping 192.168.1.10 -NO - and yes they all in in one VLAN. I have no configuration on the switch at all just using Layer2.

3. you mentioned you able to ping MGMT, what is the IP address, how are you connected - Do you have break out switch or you using vSwitch of Exsi ? I am using VMWare workstation 12 with Vmnet2 adapter which has IP address of 192.168.62.1 and Palo Alto Mgmt IP is 192.168.62.10. I can ping between these two IPs.

I will read the article about the promiscuous mode and see if that helps. I think because i am not familiar with Linux is part of my problem and I am just trying to learn Palo Alto for the first time so will have to find out how to allow Ping traffic inside and outside.

KevBonz
Posts: 31
Joined: Sun Sep 03, 2017 2:30 am

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by KevBonz » Sun Sep 24, 2017 3:53 am

I read the link about promiscuous mode but it was related ESX and not VMWare workstation 12 which i am using.

ramindia
Posts: 409
Joined: Sun Mar 19, 2017 10:27 pm

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by ramindia » Sun Sep 24, 2017 8:01 am

KevBonz wrote:
Sun Sep 24, 2017 3:53 am
I read the link about promiscuous mode but it was related ESX and not VMWare workstation 12 which i am using.
Do you have any antivirus running, If so stop it.

If you have OS windows 7 or above, worth checking windows FW.

R!

ecze
Posts: 533
Joined: Wed Mar 15, 2017 1:54 pm

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by ecze » Sun Sep 24, 2017 9:28 am

On vmware , each adapter assigned to EVE will be used by pnet interface ( in UI Cloud interface )

Vmware purpose mainly 2 modes

bridged
nated

Be sure to use bridge mode for internet connection

E.

KevBonz
Posts: 31
Joined: Sun Sep 03, 2017 2:30 am

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by KevBonz » Mon Sep 25, 2017 1:45 am

@ecze not sure if you saw topology but I have the Palo Alto interface connected to my Cloud0 interface which i am able to obtain a DCHP address but i cannot ping the Palo Alto interface from my local machine. If I connect a Cisco switch or router to Cloud0 interface I can ping the internet from these devices. Also, the inside LAN of the Palo Alto is connect to a windows 7 node which I cannot ping between the two devices but i figure this must be the Palo Alto block ICMP traffic because i can see the IP and MAC address of the Palo Alto interface on the windows machine when i run the arp -a command from command prompt. I have no problem ping the mgmt interface of Palo Alto device from my local machine though which is connected to Cloud1 (pnet1). Hope this makes sense. I am new eve-ng and Palo alto so taking me some time to understand.

KevBonz
Posts: 31
Joined: Sun Sep 03, 2017 2:30 am

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by KevBonz » Mon Sep 25, 2017 10:56 am

Ok after watching another video I got this to work. @ecze I think i now understand what you meant when you said "each adapter assigned to EVE will be used by pnet interface ( in UI Cloud interface )

Vmware purpose mainly 2 modes

bridged
nated

Be sure to use bridge mode for internet connection"

I connected my Palo Alto mgmt and eth1/1 interface to my Net cloud0 interface and Palo Alto eth1/2 to my windows 7 machine. I assigned an IP address on Palo Alto device managment in same subnet as vmnet8 NAT interface (cloud0). I have Palo Alto adapters eth1/1 and 1/2 deployed as Layer2 type and created security policy rule to allow any source/destination from security zone inside and outside. My windows7 machine now gets an IP address in the same subnet as my vmnet8 interface and i can ping the internet from the pc. Not sure if this the safest way to do this but following a video training series so I instructor will probably guide on how to setup using interfaces as Layer3 types.

Thanks all for the help!!

mathewfer
Posts: 79
Joined: Wed May 10, 2017 12:11 pm
Contact:

Re: External Connectivity Issue - Palo Alto 7.1.0

Post by mathewfer » Tue Jul 03, 2018 1:01 pm

Hi

Do we need Palo Alto VM licences or trial licenses to setup a proper Palo Alto LAB on EVE-NG?

I believe traffic does not pass if Palo Alto VM is not licenced.

Please let me know how you got the Palo Alo working properly.

Mathew

Post Reply