One way to know whether your configurations have gone right is if you can ping certain IP addresses. When I was migrating a network to a Palo Alto Networks Prisma SD-WAN ION, I wanted to ensure it had network connectivity.
The way I had planned to do that was by pinging the public IP address of the Prisma Ion appliance. I started to sweat when I couldn’t ping the IP. But I knew there was network connectivity when devices on the network were able to access the internet.
By default, the Prisma SD-WAN ION doesn’t respond to ping or traceroute. There’s a Device Management Policy that needs to have ping and traceroute allowed.
When you log into the CloudGenix portal, our URL will be https://portal.hood.cloudgenix.com/#home
Change home to advanced and hit Enter. You’ll land on a hidden menu.
**Note: The new URL will be https://portal.hood.cloudgenix.com/sdwan/manage/advanced
Thank you to Joe, in the comments, for providing this update.
You can take a look at all the options but right now I’m more interested in allowing Ping and Traceroute.
Click on Device Management Policy
Select your Site and click Done.
Now select your Element. An element is an ION.
Then select the Internet interface on that ION. I selected my Internet and bypass pair.
Then click on GET
You’ll see there is no device management policy for this interface. We’re going to create one.
In the empty Name field, type in ALLOW_PING_TRACEROUTE
In the empty prefix text box, type in the prefix you will allow Ping and Traceroute from. I’m allowing it from any with 0.0.0.0/0.
In the App drop down box, select Ping.
In the Action drop down box, select Allow.
Do the same for Traceroute in the next line.
You should now be able to Ping and Traceroute the public IP of your CloudGenix ION.
Where did these options go after the recent May 2022 update? I cannot find advanced options anywhere to allow ICMP.
Joe P. says
The new URL is:
You may need to change your region from Hood to match your own.
Thank you for providing the new URL, Joe!
Thank you Joe!