topic Re: Natting Palo Alto's Management Address? in General Topics

Natting Palo Alto's Management Address?

JoelGuy — Fri, 01 Mar 2019 14:22:25 GMT

Hello. I currently have the management interface on my PA configured with a IP address on my outside/untrusted network. I would like to change the management address to an IP on one of my inside/trusted networks. When I change my management address, how do I configure NAT for this new management address to allow access to outside for Panorama, Palo Alto Network Services, etc. ?

Thanks!

Re: Natting Palo Alto's Management Address?

Mick_Ball — Fri, 01 Mar 2019 15:45:06 GMT

I'm not sure if i understood your question fully but why dont you just go into device\services\service route config and change your external services to your external interface, i assume they already work on that interface....

Re: Natting Palo Alto's Management Address?

JoelGuy — Fri, 01 Mar 2019 15:54:37 GMT

Thanks for the response. Using Service Route was my first thoughts, but I had read somewhere that it was not best practice. I don't recall thier reasoning, I'll have to find it again.

Re: Natting Palo Alto's Management Address?

Mick_Ball — Fri, 01 Mar 2019 15:58:23 GMT

but do you not already have outgoing (trust to untrust) NAT in place for your outgoing traffic.

if so then i would have assumed that your local routing would have pushed outgoing traffic from management interface via this route.

Re: Natting Palo Alto's Management Address?

OtakarKlier — Fri, 01 Mar 2019 18:31:16 GMT

Hello,

Also make sure you have a policy that allows the traffic, dont inspect it and also dont decrypt it.

Regards,

Re: Natting Palo Alto's Management Address?

jeremy.larsen — Mon, 04 Mar 2019 15:26:35 GMT

I agree with MickBall. Either edit your service route config and use an internet routable address to pull from PAN or set your mgmt interface on a subnet with a gateway that routes to the PAN for NAT. Having your mgmt interface on an internet routable address is a really BAD idea.

Re: Natting Palo Alto's Management Address?

OtakarKlier — Mon, 04 Mar 2019 17:21:17 GMT

Hello,

If you are using a legit certificate for your management interface and are using policies to allow access from only certain IP's (others you own), I dont see why allowing access should be an issue?

Just my thoughts.