topic Re: Traffic going through Management port in General Topics

Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 14:48:53 GMT

Hello All,

We were setting up a PaloAlto Firewall and made all the basic configuration to make a test on the production environment, however when connecting to the production environment, we could see that all the traffic from the PaloAlto firewall was going through the management port and we have already defined the routes with the interface and next hop ip address.

For example if we want to reach the public IP from the provider that is directly connected, the traffic goes to the management port, then traffic goes inside the LAN and it gets stuck there forever.

We are only working with static routes and we haven't specifically detailed a route for the management port, the only place where we configured this is in the device->configuration->management->default gateway, but for some reason al the traffic is going over this interface?

Could somebody give some insight?

Regards

Re: Traffic going through Management port

OtakarKlier — Tue, 28 Aug 2018 16:43:12 GMT

Hello,

From the sounds of it the static routes are pointing at the management port ip address or port. The management port is used just for management, that is why it has its own config under the setup tab.

I would start by checking your routes on your other devices and then on the PAN virtual router.

Hope that helps.

Re: Traffic going through Management port

JoeAndreini — Tue, 28 Aug 2018 17:31:50 GMT

I assume you mean management traffic - device updates, licensing, etc. and not user traffic.

By default all management traffic exits via the management interface. If you want it to exit another route, this can be configured via Service Route Configuration (Device -> Setup -> Services)

If it is what you are intending to do, I recommend against having this traffic exit directy to an untrusted network. Instead, have it exit to an internal network, then traverse back through the firewall to be scanned, just in case something nefarious is going on.

Re: Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 17:53:55 GMT

Hello Otaka,

This is a sample of our configuration

Network->VirtualRouter1->Interface ethernet1/1(interface layer3)->outside (zone to internet)-> ip address: public ip

Network->VirtualRouter1->Interface ethernet1/2(interface layer3)->inside(zone to lan)->ip address: private ip 192.168.0.x/24

For Management purposes we have

Device-> Interfaces -> Management->Ip add 192.168.14.x/24 with a default gateway 192.168.14.1

For some reason, even the traffic that has a default route 0.0.0.0/0 ethernet 1/1 to public ip is being routed to 192.168.14.1

Thanks for the fast answer.

Regards

Re: Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 18:21:58 GMT

Hello Joe,

Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.

Regards

Re: Traffic going through Management port

Remo — Tue, 28 Aug 2018 18:23:18 GMT

Hi @the_jonathan

This is how to firewall is designed. The management traffic from the firewall by default does not use the routes configured in the virtual router. The virtual router and the management port are kind of comoletely separate routing instances. This makes it possible that traffic from the management port can be routed through your network and then also through your paloalto firewall to apply security profiles and other protections (even though this would be also possible with service routes).

If you want to have the traffic to be sent directly to the internet then you could configure service routes (what I wouldn't recommend). This way the firewall connects for updates, or whatever you configure, directly to that interface that you specify.

Re: Traffic going through Management port

Remo — Tue, 28 Aug 2018 18:25:00 GMT

@the_jonathan wrote:
Hello Joe,

Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.

Regards

Where do you see that usertraffic is routed through the management port?

Re: Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 18:30:17 GMT

Hello Joe,

As an example, when we do a traceroute from the firewall to the google dns 8.8.8.8 (when the firewall was directly connected to ISP), the traceroute showed us that the packet was sent to the gateway of the Management interface and stayed inside of our LAn until the TTL went to 0, because our LAN sent it back to the firewall and so on.

We have read the manuals and tried configuring this very basic simple point to point (firewall to isp) connection and still all the traffic is going through management port.

Regards

Re: Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 18:34:20 GMT

Hello @Remo

Yes, indeed we have seen that management interface is completely on a different "section" of the firewall and we have configured according to the manuals.

I am afraid we do not want to send traffic directly to the internet for the services of paloalto, we want it to "go" into our LAN through the management port as it is configured and then pass again through the firewall as standard traffic from the LAN.

Regards

Re: Traffic going through Management port

JoeAndreini — Tue, 28 Aug 2018 18:35:57 GMT

unless you traceroute or ping with the source argument, it is management traffic and will go out the management interface.

traceroute source <source IP address> host 8.8.8.8

When I describe user traffic, I mean traffic from one zone (trusted likely) to another (untrusted likely)

Re: Traffic going through Management port

the_jonathan — Tue, 28 Aug 2018 21:06:25 GMT

Hello @JoeAndreini @Remo and @OtakarKlier

Thank you very much for all your support, FYI our issue was pretty stupid, but we saw that the interface had no management profile assigned, therefore no traffic was allowed from any zone to inside the firewall.

Once we assigned a management profile to the interface (with ping enabled) we were able to succesfuly connect ISP provider to PaloAlto Firewall.

Thanks a lot for your support.

Regards