topic Re: Switch port configuration for management interface on HA pair in General Topics

Switch port configuration for management interface on HA pair

SilvioReis — Wed, 18 May 2022 18:33:38 GMT

Are there any recomendations or requirements to configure a switch port for management interface for a PA firewall?

Should it be an access port or could it be a 802.1q port (trunk mode)?

Are there any recomendations to enable/disable/specify lldp/cdp/vtp/igmp/spf on switch port for management interface?

If the management interface will be used for backup of HA1 interface/traffic is there any addicional recomendations?

Any problems if ip address of management interface resides on the same subnet of inside/trusted zone/interface on the same firewall/ha pair and default gateway of management interface point to the ip address of inside interface?

I know that it could be an access port or directly connected to a management pc using a regular cat5e/cat6 patchcord.

Thanks,

Re: Switch port configuration for management interface on HA pair

Adrian_Jensen — Wed, 18 May 2022 21:14:06 GMT

I am not sure about later PaloAlto models, but on mine at least, the dedicated management interface does not support VLAN tagging. You must connect it to an access switch port. Generally, you want the management interface on a separate subnet, accessible only from specific devices. Though I don't believe it will cause any specific errors if it is on the same subnet as the internal Trust zone.

One thing to make sure of though, is that the HA data and management ports are on a completely separate network, that there are no explicit routes to over the data or management interfaces to the same IP ranges.

Re: Switch port configuration for management interface on HA pair

BPry — Wed, 18 May 2022 21:14:49 GMT

@SilvioReis,

The management interface should be an access port, the interface itself doesn't support tagging. Your current design would work perfectly fine, the management IP can be on the same interface as the trust zone without any issues.

Re: Switch port configuration for management interface on HA pair

OtakarKlier — Wed, 18 May 2022 21:58:17 GMT

Hello,

I protect my management interface with the Palo Alto in a 'management network'. I create a vlan , lets call it mgmt, and anchor it on the Palo Alto, meaning the vlan IP is on the Palo Alto so i can create security policies to protect it as to who can connect in the first place, .e.g AD group fw_admins are the only ones that can even get into the vlan.

Regards,