Palo互连
Palo互连
提问于 2020-04-23 16:54:29
我是PaloAlto网络的新手。为了测试目的,我把两个PA-220连接在一起.我配置了来自同一子网的IP地址。对我来说,就像路由器一样,这些设备应该可以看到彼此。我还配置了任何允许策略规则。但是我在Monitor选项卡上看不到任何日志,甚至点击计数也是零。有什么我应该配置的吗?
PA1
PA2
双方规则
PA1配置
config {
mgt-config {
users {
admin {
phash $1$qgtctsss$IFjK8.WW68yNGYlZ9ROtV.;
permissions {
role-based {
superuser yes;
}
}
}
Simral {
permissions {
role-based {
superuser yes;
}
}
phash $1$jheglxtv$bjWiIYdQ9p0hG5azX2hDu.;
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/2 {
aggregate-group ae1;
}
ethernet1/3 {
aggregate-group ae1;
}
ethernet1/5 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.20.10;
}
lldp {
enable no;
}
}
}
ethernet1/6 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.30.30;
}
lldp {
enable no;
}
}
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
aggregate-ethernet {
ae1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
lacp {
high-availability {
use-same-system-mac {
enable no;
}
}
transmission-rate slow;
enable yes;
mode active;
}
ndp-proxy {
enabled no;
}
ip {
192.168.10.11;
}
lldp {
enable no;
}
}
comment Link_To_PA1;
}
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
interface-management-profile;
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
deviceconfig {
system {
ip-address 192.168.1.1;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone Asia/Baku;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA2;
dns-setting {
servers {
primary 8.8.8.8;
secondary 8.8.4.4;
}
}
ntp-servers {
primary-ntp-server {
ntp-server-address time1.google.com;
authentication-type {
none;
}
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
MGMT {
network {
layer3;
}
}
Inside {
network {
layer3;
}
}
Outside {
network {
layer3;
}
}
DMZ {
network {
layer3;
}
}
Interconnect {
network {
layer3 [ ae1 ethernet1/5 ethernet1/6];
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
Test {
to any;
from any;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
}
}
import {
network {
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
}
}
}
}PA2配置
config {
mgt-config {
users {
admin {
phash $1$codxuhom$xXp//peldZrW.XwtJtgmn0;
permissions {
role-based {
superuser yes;
}
}
}
}
password-complexity {
enabled yes;
minimum-length 8;
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/2 {
aggregate-group ae1;
}
ethernet1/3 {
aggregate-group ae1;
}
ethernet1/5 {
layer3 {
ndp-proxy {
enabled no;
}
ip {
192.168.20.20;
}
lldp {
enable no;
}
}
}
ethernet1/6 {
layer3 {
ndp-proxy {
enabled no;
}
ip {
192.168.30.10;
}
lldp {
enable no;
}
}
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
aggregate-ethernet {
ae1 {
layer3 {
lacp {
high-availability {
use-same-system-mac {
enable no;
}
}
transmission-rate slow;
enable yes;
mode active;
}
ndp-proxy {
enabled no;
}
ip {
192.168.10.10;
}
lldp {
enable no;
}
}
}
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles;
ipsec-crypto-profiles;
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class-bandwidth-type {
mbps {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
deviceconfig {
system {
ip-address 192.168.1.1;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone Asia/Baku;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA1;
dns-setting {
servers {
primary 8.8.8.8;
secondary 8.8.4.4;
}
}
ntp-servers {
primary-ntp-server {
ntp-server-address time1.google.com;
authentication-type {
none;
}
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
Outisde {
network {
layer3;
}
}
Inside {
network {
layer3;
}
}
DMZ {
network {
layer3;
}
}
MGMT {
network {
layer3;
}
}回答 2
Network Engineering用户
发布于 2020-05-02 11:24:52
伙计们,谢谢你们的回答。解决了问题。但我忘了在这里写字。我应该为pinging接口配置mgmt配置文件,除此之外,我忘了配置网络掩码。
Network Engineering用户
发布于 2020-04-25 00:28:23
我不认为你能从监控页面的防火墙流量。监视器页面专用于通过防火墙的通信量。不是从防火墙本身生成的。https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU6CAK
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/67443
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号