1

I have a Palo Alto firewall connected to a link that runs 802.1q and the provider has assigned a specific VLAN for us to use.

However I cannot ping the other end of the link, if I replace the Palo Alto firewall with a Cisco Switch it works perfectly.

On the Palo Alto I have configured a layer 3 interface (ethernet 1/1) with no I.P address, I have then created a sub interface (ethernet1/1.20), it has an i.p address and I have set the tag (20) to be the 802.1q VLAN ID. Attached to this interface is a virtual router with static routes directing all traffic to the destination I.P Address.

I have cleared all firewall rules and configured a permit all for testing.

When I try and ping the other end of the link I receive ICMP "host unreachable" responses and I can see the firewall allowing the traffic.

Given the Cisco switch works perfectly fine I must be missing something obvious, suggestions appreciated.

ServerMonkey
  • 257
  • 4
  • 13
  • What sort of connectivity is it? Point to point? How have you set the netmask? – NickW Jan 06 '15 at 12:27
  • Its a point-to-point connection with a /30 at each end. Confirmed subnet mask as being correct. – ServerMonkey Jan 06 '15 at 12:44
  • Yeah, that should be correct, when you see the firewall allowing the traffic, are you pinging from a connected workstation? Do you see the traffic going through the 1/1.20 interface? – NickW Jan 06 '15 at 15:44
  • Pinging from the firewall itself and using the source command: ping source host – ServerMonkey Jan 06 '15 at 20:48

1 Answers1

0

The solution to the problem was to assign a security zone to the external interface, once done I was able to reach the other site. This is due to a default block on inter-zone traffic.

ServerMonkey
  • 257
  • 4
  • 13