I have a Palo Alto firewall connected to a link that runs 802.1q and the provider has assigned a specific VLAN for us to use.
However I cannot ping the other end of the link, if I replace the Palo Alto firewall with a Cisco Switch it works perfectly.
On the Palo Alto I have configured a layer 3 interface (ethernet 1/1) with no I.P address, I have then created a sub interface (ethernet1/1.20), it has an i.p address and I have set the tag (20) to be the 802.1q VLAN ID. Attached to this interface is a virtual router with static routes directing all traffic to the destination I.P Address.
I have cleared all firewall rules and configured a permit all for testing.
When I try and ping the other end of the link I receive ICMP "host unreachable" responses and I can see the firewall allowing the traffic.
Given the Cisco switch works perfectly fine I must be missing something obvious, suggestions appreciated.
Best Answer
The solution to the problem was to assign a security zone to the external interface, once done I was able to reach the other site. This is due to a default block on inter-zone traffic.