https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1204757#M122967 <P>I have two new PA-455-5G firewalls running 11.2.3. These have 8 ethernet interfaces, two management ports, and two console ports. I have configured the management ports as 10.0.0.1 &amp; .2 respectively on FW1&amp; 2. These will be in A/P HA, so I want to be able to manage the firewalls individually via these management ports. I do NOT want to use one of the 8 ethernet ports.</P> <P>I have finished the initial config, and it looks like this:</P> <P>Ethernet1/1 Primary internet</P> <P>Ethernet1/2 Secondary internet</P> <P>Ethernet1/3 (and sub-interfaces) LAN/VLANs</P> <P>Ethernet 1/7 HA2</P> <P>Ethernet 1/8 HA1 backup</P> <P>Management Ports (a.k.a MPs) HA1 (10.0.0.1/29 primary and 10.0.0.2/29 secondary)</P> <P>I have a single default router configured, and this FW pair is the primary router for the LAN. I have security policies in place that allow certain VLANs to communicate with the management ports and that rule is being hit as expected when trying to access or ping the MPs, but I cannot get to them at all from the LAN, nor can they get out to the internet (so I can use them as the primary service route.).</P> <P>I have tried adding them to the default router, but there does not seem to be a way to do that. I also tried adding a new VLAN for them, but there is also no way to assign the MPs to a VLAN.</P> <P>So - How the heck do you get these ports to be accessible from the LAN and allow them to get out to the internet? I cannot find anything in the admin guide that shows this.</P> <P>&nbsp;</P> Tue, 21 Jan 2025 20:30:19 GMT R.Rehart 2025-01-21T20:30:19Z https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1204757#M122967 <P>I have two new PA-455-5G firewalls running 11.2.3. These have 8 ethernet interfaces, two management ports, and two console ports. I have configured the management ports as 10.0.0.1 &amp; .2 respectively on FW1&amp; 2. These will be in A/P HA, so I want to be able to manage the firewalls individually via these management ports. I do NOT want to use one of the 8 ethernet ports.</P> <P>I have finished the initial config, and it looks like this:</P> <P>Ethernet1/1 Primary internet</P> <P>Ethernet1/2 Secondary internet</P> <P>Ethernet1/3 (and sub-interfaces) LAN/VLANs</P> <P>Ethernet 1/7 HA2</P> <P>Ethernet 1/8 HA1 backup</P> <P>Management Ports (a.k.a MPs) HA1 (10.0.0.1/29 primary and 10.0.0.2/29 secondary)</P> <P>I have a single default router configured, and this FW pair is the primary router for the LAN. I have security policies in place that allow certain VLANs to communicate with the management ports and that rule is being hit as expected when trying to access or ping the MPs, but I cannot get to them at all from the LAN, nor can they get out to the internet (so I can use them as the primary service route.).</P> <P>I have tried adding them to the default router, but there does not seem to be a way to do that. I also tried adding a new VLAN for them, but there is also no way to assign the MPs to a VLAN.</P> <P>So - How the heck do you get these ports to be accessible from the LAN and allow them to get out to the internet? I cannot find anything in the admin guide that shows this.</P> <P>&nbsp;</P> Tue, 21 Jan 2025 20:30:19 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1204757#M122967 R.Rehart 2025-01-21T20:30:19Z https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1205025#M122978 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/714836709">@R.Rehart</a>&nbsp;,</P> <P>&nbsp;</P> <P>The mgmt ports are entirely out-of-bound and cannot be added to the VR.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>By using the MGT port, you separate the management functions of the firewall from the data processing functions, safeguarding access to the firewall and enhancing performance:&nbsp;</SPAN></P> <P><SPAN>Source:</SPAN></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network</A></P> <P>&nbsp;</P> <P>Consider the management interface as a standalone host on your network. It connects via a cable from the management port to an access port on the switch, within the management VLAN designated for your network. Like any other network you can route it to a FW-dataport interface to go through the FW and to the internet for which it requires an allow policy and NAT configuration.</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>-Kim.</P> Wed, 22 Jan 2025 10:56:27 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1205025#M122978 kiwi 2025-01-22T10:56:27Z https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1205352#M123025 <P>Thanks, Kiwi, but that isn't what I was looking for. I solved the problem by adding a gateway address in the same subnet as the management ports to the default VR and changing their gateway to point there. Now, I can route between the LAN and the management ports without issue.</P> Fri, 24 Jan 2025 15:20:46 GMT https://live.paloaltonetworks.com/t5/general-topics/routing-to-from-the-management-interface/m-p/1205352#M123025 R.Rehart 2025-01-24T15:20:46Z