https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20721#M15137 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>i think you have not understood my question.</P><P></P><P>I understand that i can set up a dataport to get the updates. However the admin guide suggests that I should configure 2 dataports. So the admin guide basically says:</P><P></P><P>1. Configure one data port, for example, e1, and give it a static IP address, put it in a inside zone for example lets say L3-trust and attach a management profile allowing ping.</P><P>2. Configure another data port, for example, e2, which is facing internet. Give it an IP and put it in an external zone lets say L3-Untrust.</P><P>3. Confgure a security policy allowing traffic between L3-Trust and L3-Untrust zones.</P><P>4. In Service Route Configuration, select the interface e1 for the required services.</P><P></P><P>Now my question is:</P><P>Instead of setting up 2 data ports and then allowing traffic between them, can I directly select the external facing port, that is port e2 in above example, and then in the Service Route Configuration, select e2 for the required services, so that I get the updates?</P><P></P><P>Thanks!</P></BODY></HTML> Wed, 22 Oct 2014 09:09:53 GMT Neo.The.One 2014-10-22T09:09:53Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20717#M15133 <HTML><HEAD></HEAD><BODY><P>Hallo all,</P><P></P><P>I am following the document PAN OS 6.0 Admin Guide. Since my management port does not have internet access, I have to setup a data port for external access and updates. So the mentioned document, in the section called "Set Up Network Access for External Services", it is suggested that I should configure 2 ports, one on internal zone say (l3-trust) and one external facing port (in the zone lets say l3-untrust) Then create a security policy to allow traffic between these 2 zones and if needed create a NAT policy. </P><P>However, I have only one port on FW available and I have&nbsp; public IP for that. So can I just configure that port into an external facing zone and change the "Service Route Configuration" in the FW to get updates via this configured data port? Will this work?</P><P></P><P>Thanks a lot!</P></BODY></HTML> Wed, 22 Oct 2014 08:12:32 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20717#M15133 Neo.The.One 2014-10-22T08:12:32Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20718#M15134 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>You have to select a physical port <SPAN class="GINGER_SOFTWARE_mark"><SPAN class="GINGER_SOFTWARE_mark">( </SPAN><SPAN class="GINGER_SOFTWARE_mark">dataplane</SPAN> </SPAN>interface) in order to get <SPAN class="GINGER_SOFTWARE_mark"><SPAN class="GINGER_SOFTWARE_mark">management access</SPAN></SPAN> through a data-plane interface. Belo mentioned documents will help you for the same.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6167">Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-7650">How To Verify If Service Routes Are Correctly Installed in Management Plane</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 22 Oct 2014 08:34:01 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20718#M15134 HULK 2014-10-22T08:34:01Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20719#M15135 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>Yes you can use the dataplane port to use it for updates. All you have to do is to setup service routes for whatever updates you need, to use that dataplane interface. Please ensure the following:</P><P>-your DNS can resolve to updates.paloaltonetworks.com, </P><P>-There is no deny all rule which can block this traffic</P><P>-Any upstream device via that interface must allow access on port 443.</P><P></P><P>Please refer to the above document referred by Hulk for assistance with service route.</P><P></P><P>Regards,</P><P>Dileep</P></BODY></HTML> Wed, 22 Oct 2014 08:59:56 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20719#M15135 dreputi 2014-10-22T08:59:56Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20720#M15136 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>Please make sure you have configured DNS with the service route through the data-plane interface. Because the URL <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>updates.paloaltonetworks.com) will first resolve to an IP address from the DNS then it will try to reach the Palo Alto Update server.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 22 Oct 2014 09:00:20 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20720#M15136 HULK 2014-10-22T09:00:20Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20721#M15137 <HTML><HEAD></HEAD><BODY><P>Hi Guys,</P><P></P><P>i think you have not understood my question.</P><P></P><P>I understand that i can set up a dataport to get the updates. However the admin guide suggests that I should configure 2 dataports. So the admin guide basically says:</P><P></P><P>1. Configure one data port, for example, e1, and give it a static IP address, put it in a inside zone for example lets say L3-trust and attach a management profile allowing ping.</P><P>2. Configure another data port, for example, e2, which is facing internet. Give it an IP and put it in an external zone lets say L3-Untrust.</P><P>3. Confgure a security policy allowing traffic between L3-Trust and L3-Untrust zones.</P><P>4. In Service Route Configuration, select the interface e1 for the required services.</P><P></P><P>Now my question is:</P><P>Instead of setting up 2 data ports and then allowing traffic between them, can I directly select the external facing port, that is port e2 in above example, and then in the Service Route Configuration, select e2 for the required services, so that I get the updates?</P><P></P><P>Thanks!</P></BODY></HTML> Wed, 22 Oct 2014 09:09:53 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20721#M15137 Neo.The.One 2014-10-22T09:09:53Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20722#M15138 <HTML><HEAD></HEAD><BODY><P>Yes, you can do it.</P></BODY></HTML> Wed, 22 Oct 2014 09:13:59 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20722#M15138 HULK 2014-10-22T09:13:59Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20723#M15139 <HTML><HEAD></HEAD><BODY><P>Hello Amit,</P><P></P><P>As per the Admin-guide, it is suggested to configure an internal interface <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>trust-L3) with <SPAN class="GINGER_SOFTWARE_mark">an</SPAN> management profile for below mentioned reasons.</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">&gt; More visibility on traffic, passing through the firewall. You need to configure a security policy from Trust-L3 to Untrust-L3 <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>if you select Untrust L3, no security policy require in this case. Since intra zone traffic will be allowed by default, until you have a DENY_ALL rule at the bottom)&nbsp; </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">&gt; Not to configure a management profile on the public facing interface, which potentially cause a DOS attack on your firewall. </SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">&gt; Specific NAT rule "from zone TRUST-L3 to Untrust L3", instead of "ANY to Untrust L-3"</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope this helps.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks<BR /></SPAN></P></BODY></HTML> Wed, 22 Oct 2014 09:21:00 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20723#M15139 HULK 2014-10-22T09:21:00Z https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20724#M15140 <HTML><HEAD></HEAD><BODY><P>If there are any issues while using management interface then you can always look at the logs under</P><P>&gt; tail follow yes mp-log ms.log</P></BODY></HTML> Mon, 27 Oct 2014 17:55:51 GMT https://live.paloaltonetworks.com/t5/general-topics/set-up-data-port-for-external-services/m-p/20724#M15140 Mystique 2014-10-27T17:55:51Z