topic Re: IPSEC VPN for the FW MGMT in Next-Generation Firewall Discussions

IPSEC VPN for the FW MGMT

90435srinivasan — Thu, 29 Jan 2026 12:07:56 GMT

Hi There,

I would like to establish an IPSEC VPN connection between the Palo Alto firewalls and the Fortigate. This setup is necessary to allow remote access to the Palo Alto firewalls from the Citrix servers. This is for Management connectivity.

The inquiry is, IPSEC VPNs are generally configured to facilitate the passage of data traffic

1. I want to access the PA FW MGMT IP over an IPSEC VPN. Is it doable?

2. Shall I create a Loopback interface and assign a Interface MGMT profile and with this design, I believe I can access only the 'Active' firewall and not the 'passive' one.

How to overcome this caveat?

Cheers,

Re: IPSEC VPN for the FW MGMT

Raido_Rattameister — Thu, 29 Jan 2026 15:34:15 GMT

You are correct on both points.

Yes you can set up IPSec to access mgmt interface. Assumingly you have mgmt interface connected to separate management vlan/zone so you need to set up security policy to permit traffic from VPN to Palo mgmt IPs.

And yes if you use loopback or dataplane interface then you can access only active firewall.

Re: IPSEC VPN for the FW MGMT

90435srinivasan — Thu, 29 Jan 2026 15:38:08 GMT

Hi @Raido_Rattameister

Many thanks for your reply.

If I talk about MGMT IPs, I believe you're referring about the Loopback/In-band Interface and not the MGMT port.

Can we access the PA FW over the MGMT port itself via IPSEC VPN?

Re: IPSEC VPN for the FW MGMT

TomYoung — Thu, 29 Jan 2026 19:03:53 GMT

Hi @90435srinivasan ,

Do you have a switch on site? If so, connect the management interfaces to the switch and access them like you would any other. You can access them over the VPN. You would also be able to connect to the passive firewall.

Thanks,

Tom

Re: IPSEC VPN for the FW MGMT

90435srinivasan — Fri, 30 Jan 2026 03:11:21 GMT

Hi @TomYoung

Thanks for your reply. I'm referring about the Out of Band MGMT port.

As you know, since it's not part of any security zones, security policy won't be applicable. Is my assumption correct?

In that case, we'd need to use an In-band port (or loopback) and assign to a dedicated zone (MGMT-VPN) and allow security policy (MGMT-VPN to VPN).

I believe in this scenario, only the active firewall would be reachable as it holds the IP address.

Do correct me if I miss anything.

Re: IPSEC VPN for the FW MGMT

Raido_Rattameister — Fri, 30 Jan 2026 15:36:34 GMT

You can't route traffic directly from dataplane to management plane. There has to be switch in between.

Below is example using random vlans and IPs.

And then firewall policy can be added to permit traffic from VPN zone to management zone towards Palo mgmt IPs.

Re: IPSEC VPN for the FW MGMT

90435srinivasan — Fri, 30 Jan 2026 17:22:58 GMT

Hi @Raido_Rattameister

Thanks for your reply and sorry if I sound so silly.

As far as I know, dedicated out of band management interface isn't part of any security zone.

Based on the above example, if the dedicated MGT port to be accessed via IPSEC VPN, can you pls let me know how the routing should be setup?

Again, to the best of my knowledge, MGMT interface doesn't use the VR as this is for data-interface.

Please correct me if I miss anything 😊

Re: IPSEC VPN for the FW MGMT

L.LampkinIII — Tue, 03 Feb 2026 15:01:46 GMT

you are correct, the MGT interface in the screenshot above is unaware of [and does not need to be aware of] the FW configuration for security zones.

that stated, In the example picture given, the VLAN 30 gateway on the firewall is in a security zone.

your MGT interface would be configured with that FW VLAN 30 IP as the gateway IP address. this would allow the FW to route traffic back and forth between VPN and the VLAN 30

think of that policy as more for the firewall itself than for the MGT interface

If it helps to visualize, just consider the MGT interface as an independent host on the network, and not as part of the firewall.

Re: IPSEC VPN for the FW MGMT

90435srinivasan — Thu, 05 Feb 2026 16:28:19 GMT

Hi @L.LampkinIII

Got it. If I understand correctly, MGMT traffic would be routed via data-interface (Ex: Inside->VPN), provided switch is routing the traffic back to the FW.

Is that correct?