topic Re: Able to ping management interface but cannot get GUI (over secure IPsec connection) in General Topics

Able to ping management interface but cannot get GUI (over secure IPsec connection)

kay.sammer — Fri, 01 Feb 2019 17:59:19 GMT

Have a PA820 connected to a remote machine via IPsec tunnel - Management port has been opened up to access over LAN (works) - and can ping the Management IP over the tunnel - but am not able to connect to the web GUI. Any pointers?

Many thanks in advance!

Re: Able to ping management interface but cannot get GUI (over secure IPsec connection)

OtakarKlier — Fri, 01 Feb 2019 21:31:03 GMT

Hello,

Check the logs to see why/if traffic is getting blocked. Did you set restrictions of 'Permitted IP Addresses' can connect to the Mgmt interface?

Just a few thoughts.

Re: Able to ping management interface but cannot get GUI (over secure IPsec connection)

kay.sammer — Sat, 02 Feb 2019 12:05:45 GMT

Hi @OtakarKlier, thanks for the reply! Turned out it was a policy in Policies > Security, which we called "Access from Remote" (which isn't actually remote, but a remote computer on the same LAN we wanted access from). Under Application it had "Ping" which I changed to "Any". Now I am able to ping AND access the web GUI (I assume SSH will work now as well).

Question - how much of a security hole is this? What else should I do to secure it even more? I understand having the Mgmt port completely closed off will do the trick - but its a remote office so need to be able to run configurations (and we are not using Panorama)

Many thanks

Kay

Re: Able to ping management interface but cannot get GUI (over secure IPsec connection)

BPry — Sat, 02 Feb 2019 15:12:49 GMT

@kay.sammer,

Well your effectively authorizing that one device to do whatever it wants to the management port of your firewall, which wouldn't be exactly something I would call best practice.

I would modify this security policy so the application is [ ping ssh ssl panos-web-interface ], and then I would only the necissary IPs that need to access this device under Permitted IPs so that no other device can contact the management interface.

Re: Able to ping management interface but cannot get GUI (over secure IPsec connection)

OtakarKlier — Sun, 03 Feb 2019 00:50:38 GMT

Hello,

I agree with @BPry on locking it down.

Cheers!

Re: Able to ping management interface but cannot get GUI (over secure IPsec connection)

Mrahman1 — Mon, 08 Feb 2021 02:46:48 GMT

I have 2 3260 Palo Alto firewalls in 2 data centers. I configured GRE tunnels between 2 Arista Switches and they are in front of Firewalls. I configured OSPF routing protocol. All prefixes are learned by OSPF. Both Firewalls can ping each other of management interfaces. GUI and SSH are not working remotely. I researched but not able to find the right solution. Please reply if you have any solution for this issue.