我是 PaloAlto 网络的新手。出于测试目的,我将两台 PA-220 相互连接。我从同一子网配置了 IP 地址。对我来说,就像路由器一样,这些设备应该可以互相看到。我还配置了任何任何允许策略规则。但我在监视器选项卡上看不到任何日志,即使命中计数为零。有什么我应该配置的吗?
PA1
PA2
双方规则
PA1 配置
config {
mgt-config {
users {
admin {
phash $1$qgtctsss$IFjK8.WW68yNGYlZ9ROtV.;
permissions {
role-based {
superuser yes;
}
}
}
Simral {
permissions {
role-based {
superuser yes;
}
}
phash $1$jheglxtv$bjWiIYdQ9p0hG5azX2hDu.;
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/2 {
aggregate-group ae1;
}
ethernet1/3 {
aggregate-group ae1;
}
ethernet1/5 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.20.10;
}
lldp {
enable no;
}
}
}
ethernet1/6 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.30.30;
}
lldp {
enable no;
}
}
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
aggregate-ethernet {
ae1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
lacp {
high-availability {
use-same-system-mac {
enable no;
}
}
transmission-rate slow;
enable yes;
mode active;
}
ndp-proxy {
enabled no;
}
ip {
192.168.10.11;
}
lldp {
enable no;
}
}
comment Link_To_PA1;
}
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
interface-management-profile;
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
deviceconfig {
system {
ip-address 192.168.1.1;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone Asia/Baku;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA2;
dns-setting {
servers {
primary 8.8.8.8;
secondary 8.8.4.4;
}
}
ntp-servers {
primary-ntp-server {
ntp-server-address time1.google.com;
authentication-type {
none;
}
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
MGMT {
network {
layer3;
}
}
Inside {
network {
layer3;
}
}
Outside {
network {
layer3;
}
}
DMZ {
network {
layer3;
}
}
Interconnect {
network {
layer3 [ ae1 ethernet1/5 ethernet1/6];
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
Test {
to any;
from any;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
}
}
import {
network {
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
}
}
}
}
PA2 配置
config {
mgt-config {
users {
admin {
phash $1$codxuhom$xXp//peldZrW.XwtJtgmn0;
permissions {
role-based {
superuser yes;
}
}
}
}
password-complexity {
enabled yes;
minimum-length 8;
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/2 {
aggregate-group ae1;
}
ethernet1/3 {
aggregate-group ae1;
}
ethernet1/5 {
layer3 {
ndp-proxy {
enabled no;
}
ip {
192.168.20.20;
}
lldp {
enable no;
}
}
}
ethernet1/6 {
layer3 {
ndp-proxy {
enabled no;
}
ip {
192.168.30.10;
}
lldp {
enable no;
}
}
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
aggregate-ethernet {
ae1 {
layer3 {
lacp {
high-availability {
use-same-system-mac {
enable no;
}
}
transmission-rate slow;
enable yes;
mode active;
}
ndp-proxy {
enabled no;
}
ip {
192.168.10.10;
}
lldp {
enable no;
}
}
}
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles;
ipsec-crypto-profiles;
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class-bandwidth-type {
mbps {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
interface [ ae1 ethernet1/5 ethernet1/6];
}
}
}
deviceconfig {
system {
ip-address 192.168.1.1;
netmask 255.255.255.0;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone Asia/Baku;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA1;
dns-setting {
servers {
primary 8.8.8.8;
secondary 8.8.4.4;
}
}
ntp-servers {
primary-ntp-server {
ntp-server-address time1.google.com;
authentication-type {
none;
}
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
Outisde {
network {
layer3;
}
}
Inside {
network {
layer3;
}
}
DMZ {
network {
layer3;
}
}
MGMT {
network {
layer3;
}
}