Allow Ping and Traceroute to Prisma SD-WAN ION

One way to know whether your configurations have gone right is if you can ping certain IP addresses. When I was migrating a network to a Palo Alto Networks Prisma SD-WAN ION, I wanted to ensure it had network connectivity.

The way I had planned to do that was by pinging the public IP address of the Prisma Ion appliance. I started to sweat when I couldn’t ping the IP. But I knew there was network connectivity when devices on the network were able to access the internet.

By default, the Prisma SD-WAN ION doesn’t respond to ping or traceroute. There’s a Device Management Policy that needs to have ping and traceroute allowed.

When you log into the CloudGenix portal, our URL will be https://portal.hood.cloudgenix.com/#home

Change home to advanced and hit Enter. You’ll land on a hidden menu.

**Note: The new URL will be https://portal.hood.cloudgenix.com/sdwan/manage/advanced
Thank you to Joe, in the comments, for providing this update.

You can take a look at all the options but right now I’m more interested in allowing Ping and Traceroute.

Click on Device Management Policy

Select your Site and click Done.

Now select your Element. An element is an ION.

Then select the Internet interface on that ION. I selected my Internet and bypass pair.

Then click on GET

You’ll see there is no device management policy for this interface. We’re going to create one.

In the empty Name field, type in ALLOW_PING_TRACEROUTE

In the empty prefix text box, type in the prefix you will allow Ping and Traceroute from. I’m allowing it from any with 0.0.0.0/0.

In the App drop down box, select Ping.

In the Action drop down box, select Allow.

Do the same for Traceroute in the next line.

Click Submit.

You should now be able to Ping and Traceroute the public IP of your CloudGenix ION.