https://live.paloaltonetworks.com/t5/general-topics/mgmt-traffic-through-vpn-tunnel/m-p/20673#M15099 <HTML><HEAD></HEAD><BODY><P>I have a fairly straightforward network topology for a firewall at a remote datacenter with one little catch. The PAN's revenue interfaces are an Internet interface, an internal interface, a DMZ interface, and a device management network. The catch is the PAN's MGMT interface lies on the device mangement network for which it is also the default router. For example, it's ethernet1/4 is 10.254.10.1/25 and it's MGMT interface is 10.254.10.4/25.</P><P></P><P>Oh, and another little catch, this being a remote datacenter, we talk to that device mangement network over a VPN that terminates on the PAN itslef.</P><P></P><P>So the problem is that I cannot reach the PAN on its MGMT interface or have it talk to our Panorama server over the VPN.</P><P></P><P>I would prefer to still use the MGMT interface for system management. I would expect there may be others in the same or similar situations. How do you manage and use Panorama with your PAN over a VPN that terminates on the PAN itself? Pointers to vendor docs or your own experiences would be appreciated. Thanks.</P></BODY></HTML> Thu, 14 Jul 2011 20:40:14 GMT cosx 2011-07-14T20:40:14Z https://live.paloaltonetworks.com/t5/general-topics/mgmt-traffic-through-vpn-tunnel/m-p/20673#M15099 <HTML><HEAD></HEAD><BODY><P>I have a fairly straightforward network topology for a firewall at a remote datacenter with one little catch. The PAN's revenue interfaces are an Internet interface, an internal interface, a DMZ interface, and a device management network. The catch is the PAN's MGMT interface lies on the device mangement network for which it is also the default router. For example, it's ethernet1/4 is 10.254.10.1/25 and it's MGMT interface is 10.254.10.4/25.</P><P></P><P>Oh, and another little catch, this being a remote datacenter, we talk to that device mangement network over a VPN that terminates on the PAN itslef.</P><P></P><P>So the problem is that I cannot reach the PAN on its MGMT interface or have it talk to our Panorama server over the VPN.</P><P></P><P>I would prefer to still use the MGMT interface for system management. I would expect there may be others in the same or similar situations. How do you manage and use Panorama with your PAN over a VPN that terminates on the PAN itself? Pointers to vendor docs or your own experiences would be appreciated. Thanks.</P></BODY></HTML> Thu, 14 Jul 2011 20:40:14 GMT https://live.paloaltonetworks.com/t5/general-topics/mgmt-traffic-through-vpn-tunnel/m-p/20673#M15099 cosx 2011-07-14T20:40:14Z https://live.paloaltonetworks.com/t5/general-topics/mgmt-traffic-through-vpn-tunnel/m-p/20674#M15100 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It should work, can you check the following:</P><P></P><P>1) If any of the security policy is not blocking the connection between the Internal zone and the VPN zone </P><P>2) If you are not able check it through the Monitor logs, please add a deny rule at the end and check if any logs generated</P><P>3) See if you can add the Mac address of the management interface statically to the internal interface </P><P></P><P>Thanks,</P><P>Khubaib </P></BODY></HTML> Thu, 14 Jul 2011 23:29:05 GMT https://live.paloaltonetworks.com/t5/general-topics/mgmt-traffic-through-vpn-tunnel/m-p/20674#M15100 kalavi 2011-07-14T23:29:05Z