Overview
When using the ping host command without source statement, the Palo Alto Networks device uses the management (MGMT) interface by default, but only for addresses that are not configured on firewall itself (dataplane addresses). For the dataplane addresses, if the source address is not explicitly specified, the ping traffic will go internally through the firewall. The reason for this is that addresses configured on the dataplane are also assigned on the management plane kernel. Therefore, when the ping host <ip_dataplane> command is issued, it basically pings the kernel on the management plane (MP).
Note: The command debug dataplane internal vif address shows all configured IP addresses that are assigned to MP kernel. Similar behavior applies to the SSH command.
Details
Usage for ping host:
> ping host <not_ip_dataplane> - generated from the MGMT interface by default
> ping host <ip_dataplane> - behaves like local ping (not generated from MGMT interface)
If the ping needs to be generated from the MGMT interface when ip_dataplane address is pinged, the "source" option must be specified:
> ping source <mgmt_address> host <ip_data_plane>
For example, to originate ping from the a layer 3 interface, run the command:
> ping source <x.x.x.x> host <y.y.y.y>
where x.x.x.x is the layer 3 interface address on the Palo Alto Networks device and y.y.y.y is the destination host.
owner: gbogojevic