Suppose you want to verify if your packet actually reach the untrust interface of Palo Alto Network firewall, you can let the untrust interface of the firewall to send echo reply by using set network profiles interface-management-profile command.
admin@PA-5050> configure Entering configuration mode [edit] admin@PA-5050# set network profiles interface-management-profile icmp-profile ping yes [edit] admin@PA-5050#
Firewall policy will not influence the firewall to send echo reply back to the originator.
[edit]
admin@PA-5050# show network profiles interface-management-profile
interface-management-profile {
icmp-profile {
http no;
https no;
ssh no;
snmp no;
ping yes;
response-pages no;
telnet no;
}
}
[edit]
admin@PA-5050#
Note that icmp-profile is a name of the profile which you have chosen, you can choose any name you like as long as it makes sense to you.
cyruslab 