topic Re: management interface & service route configuration in General Topics

management interface & service route configuration

Toufik — Sat, 29 Jan 2022 23:23:30 GMT

Hello
I am new in palo alto, I did a self-training
I would like to have more details about the relation between the management interface and the service route configuration
I have a little bit stuck on when to use the route configuration service
I think there are some webgui ways to manage the AP:
-directly connect a pc to Mgmt interface
-connect mgmt interface to switch with dedicated vlan
- connect mgmt interface to switch in the same vlan as the data interfaces
how to enter the concept of service route configuration in the above cases.
I know that the management interface is used by the FW PA to go on the internet and retrieve updates,...etc, but sometimes there is a need to use the service route configuration to point into the service in the LAN data
I have some ambiguities to master this concept and the why and how of the thing.
thanks

Re: management interface & service route configuration

PavelK — Sun, 30 Jan 2022 01:06:16 GMT

Thank you for the post @Toufik

Basically by default all communication that Firewall will initiate will be over management interface. In the case you for what ever reason can't use management interface, you can change all services to communicate via data plane interface instead of management interface. You can also do it selectively based on service you want to communicate over data plane interface. Here is KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

In the case of Active/Standby HA you will come across an issue when standby Firewall will not be able to use data plane interfaces (Depending on HA configuration interfaces are either shut or suspended), so service route configuration will not work unless Firewall assumes active role or you change it back to use management interface.

Connecting management port to switch with dedicated Vlan is the most optimal way. Having management interface on the same subnet as data plane interface is possible and it will work, however I would avoid this security reasons. The first option you mentioned is of course possible to connect management interface directly to your PC, but outside of the lab environment, this is not scalable option. If you need to change management interface IP address from CLI to range for management Vlan, you can do it from CLI: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

Kind Regards

Pavel

Re: management interface & service route configuration

Toufik — Sun, 30 Jan 2022 10:31:32 GMT

@PavelK

Thanks for your answer

What I understood is that the control plane and the data plane are "physically" separated, and there is no direct communication between the management interface and the WAN output interface (for example).
If I connect my management interface directly to my pc, I will encounter problems connecting to the internet for external services, so this case to be eliminated since you completely isolate the management plane from any network! and this is what you have confirmed.
but if we connect the mgt interface to a switch port, there we can declare the data port of the firewall corresponding to the switch port, in route service configuration and this port becomes the source for external services.
but if we assume that a vlan is dedicated and that the dns server is in another vlan, do we have to set a policy rule to pass the inter-vlan flow (so inter-zone)?
actually the route service configuration is not only used for external services, but also for internal services like dns?

Kind Regards

Toufik