I have a PA-220 that is configured with VLAN Interfaces (layer3 SVI), and the physical interfaces are Layer2 interfaces attached to the respective layer2 VLAN. Basically using it as a layer3 switch with firewall filtering. What I am running into now is that devices on the same VLAN cannot communicate with each other on the same subnet. I can arping from hostA to hostB and visa versa, so the layer1 and layer2 path is good. The palo shows absolutely nothing in the logs that the traffic is even occurring. The only indication that the palo is dropping it is the palo packet capture, the drop queue shows the firewall dropping the packets. The default intra-zone rule is to permit. I even overrode the rule to add logging to that rule and it still doesn't log. Any ideas would be much appreciated.
Diagram - https://imgur.com/qVpb6DF
DMZ security zone - VLAN 10 - 192.168.1.0/24
hostA (Intel NUC) - 192.168.1.101 - connected to eth2 on the palo
hostB - 192.168.1.5 - connected to eth3 on the palo
gateway (the palo) - 192.168.1.1
Palo is running version 8.0.10
No comments:
Post a Comment