topic Re: Default Management Ports in PAN OS 7.1 in General Topics

Default Management Ports in PAN OS 7.1

Retired Member — Wed, 24 Aug 2016 11:48:15 GMT

Hi all

The standard guide for configuring a PANW Firewall to allow access to HTTPS/SSH etc from the outside has been this link: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Port/ta-p/62333

But with the release of PAN OS 7, the provided instructions no longer work. A loopback interface cannot share an IP address with the management interface.

Given this, what would be the appropriate way to configure Security & NAT policies to allow access to HTTPS management on a non-standard port from an Untrusted interface?

I tried setting the loopback to 192.168.1.2 and 192.168.2.1 (and updating the appropriate Policies of course), but had no luck. Does anyone have any insight to share?

(FYI: obviously I'm aware of the security implications in allowing access to management via HTTPS over the WAN, this is a temporary requirement to pre-stage devices, send them to site, and configure them remotely once they arrive. When the configuration has been completed, management via the WAN will be disabled)

Thanks

Sam

Re: Default Management Ports in PAN OS 7.1

reaper — Wed, 24 Aug 2016 12:19:42 GMT

Hi Sam

This article does not stipulate the IP on the loopback should be the management interface, but I see in the comments this appears to be misleading, I will add a note in the article (the connection is made to the management profile active on the interface on the dataplane rather than a redirect to the physical management interface)

litteraly any ip on the loopback will do the trick, as long as it is not already assigned to the dataplane or management interfaces and preferably one that is not routed anywhere else in the organization to prevent conflicts

Re: Default Management Ports in PAN OS 7.1

santonic — Wed, 24 Aug 2016 12:22:15 GMT

I don't know the answer to your question.

But if you have static IP where you are and on the device you are deploying; just leave MGMT access on 443 and limit it to just your public IP address?

Re: Default Management Ports in PAN OS 7.1

Retired Member — Wed, 24 Aug 2016 13:36:11 GMT

Thanks for your response

Possibly I am doing something wrong then - I configured everything as per the article, except for using 192.168.2.1 as the loopback IP address, and was unable to gain management access via the alternative port.

The WAN address was configured with a /30 (i.e. 1.2.3.4/30). I tested via a laptop connected to the Ethernet Inteferace in the Untrusted zone, configured with an interface address of 1.2.3.5/30. When I attempted to access 1.2.3.4:8443, there was no response.

I had a PAT rule in place with using a custom Service object of 8443, and the PAT rule translated the destination to 192.168.2.1:443. There was a Security policy allowing access from the Untrusted to Trusted zones, as per the instructions, and the loopback interface was configured with a Management profile allowing access via HTTPS.

When I configured the Etehrnet Interface in the Untrusted zone with the same Management Profiles, I was able to access https://1.2.3.4:443. But I was still unable to access https://1.2.3.4:8443

Is there anything obvious I may have overlooked?

Sam

Re: Default Management Ports in PAN OS 7.1

reaper — Wed, 24 Aug 2016 15:03:58 GMT

ok so to make sure i wasn't completely sending you into the woods or anything i did a quick replication, and it works, lemme add some screenshots:

the NAT rule points at the IP assigned to my external interface on port 7777 and translates to the loopback IP on port 443 (second one for sanity check)

Re: Default Management Ports in PAN OS 7.1

Retired Member — Wed, 24 Aug 2016 15:21:23 GMT

Hi Reaper

Thanks for the detailed response, I appreciate the assistance

That looks pretty much like how I set it up, but I'll double-check when I'm back at the office tomorrow and let you know

Hopefully I missed something simple

Thanks again!

Sam