topic Re: Web Interface access from Internet in General Topics

Web Interface access from Internet

niuk — Mon, 01 Dec 2014 18:49:43 GMT

I have PA-200 connected to Internet , but mgmt interface disconnected right now. Do I have to piggyback mgmt to one of remaining Ethernet interfaces in order to get access to web interface from Internet ? Plus port forward rule ?Let me know

Re: Web Interface access from Internet

ssharma — Mon, 01 Dec 2014 18:55:07 GMT

Yes, you can assign management profile to the outside interface and access it to manage device.

You can use following document :

How to Create a Management Profile using the CLI

In this example, we assume ethernet 1/3 is your outside network. Hope this helps. Thank you.

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 19:01:36 GMT

Do you know how to show/display current mgmt interface profiles ?

Re: Web Interface access from Internet

dburns — Mon, 01 Dec 2014 19:07:58 GMT

pa> show interface <interface>

Interface management profile: allow_all

ping: yes telnet: yes ssh: yes http: yes https: yes

snmp: yes response-pages: no userid-service: no

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 19:16:03 GMT

So here it is , replaced my public with x's. I have ping/https/ssh I can ping and ssh but no https to web interface .

Name: ethernet1/1, ID: 16

Operation mode: layer3

Virtual router default

Interface MTU 1500

Interface IP address: x.x.x.x/24

Interface management profile: untrust-mgmt

ping: yes telnet: no ssh: yes http: no https: yes

snmp: no response-pages: no userid-service: no

Service configured: SSL-VPN

Zone: WAN-zone, virtual system: vsys1

Re: Web Interface access from Internet

ssharma — Mon, 01 Dec 2014 20:04:44 GMT

Hi Niuk,

Do you have deny any any policy by any chance? Also can you check on Traffic logs and check for your source address from internet and destination on 443 and see if it is denied? Thank you.

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 20:10:59 GMT

I think there is default deny interzone. But how to find drop logs using my ssh access only ? I don't have web access temporarily

Re: Web Interface access from Internet

Retired Member — Mon, 01 Dec 2014 20:15:14 GMT

show log traffic action equal deny dport equal 80(or 443) to equal X.X.X.X

Re: Web Interface access from Internet

ssharma — Mon, 01 Dec 2014 20:27:21 GMT

Assuming your public ip is 1.1.1.1 and firewall's outside interface is 5.5.5.5, try to access https://5.5.5.5

Then on the CLI, run

show session all filter source 1.1.1.1 destination 5.5.5.5 destination-port 443

See if you see anything there, if possible paste the output of "show session id <>" for any session that matches above show session command. Thank you.

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 20:28:06 GMT

I dont see any 443 neither denied nor allowed, see below. Also output of 'show counter global name flow_host_service_deny'

admin@PA-200-1> show log traffic action equal deny dport equal 443

Time App From Src Port Source

Rule Action To Dst Port Destination

Src User Dst User

===============================================================================

admin@PA-200-1> show log traffic action equal allow dport equal 443

Time App From Src Port Source

Rule Action To Dst Port Destination

Src User Dst User

===============================================================================

admin@PA-200-1> show counter global name flow_host_service_deny

Name: flow_host_service_deny

Value: 80

Severity: Drop

Category: flow

Aspect: mgmt

Desciption: Device management session denied

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 20:31:27 GMT

I looked port 443 (nothing) , and 22 (where I am actually connected)

admin@PA-200-1> show session all filter destination-port 443

No Active Sessions

admin@PA-200-1> show session all filter destination-port 22

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19243 ssh ACTIVE FLOW y.y.y.y[39267]/WAN-zone/6 (y.y.y.y[39267])

vsys1 x.x.x.x[22]/WAN-zone (x.x.x.x[22])

......

Re: Web Interface access from Internet

Retired Member — Mon, 01 Dec 2014 20:36:49 GMT

write a temporary rule, and try to access.it will be better

configure

set rulebase security rules TEST from WAN to WAN source (your ip address which you try to access now) destination X.X.X.X(fw address) action allow

move rulebase security rules TEST top

commit

Re: Web Interface access from Internet

ssharma — Mon, 01 Dec 2014 20:44:02 GMT

Hi Niuk,

Do you have a NAT for the outside interface ip? Can you check your NAT policy to see if you are translating anything on 443?

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 20:50:49 GMT

I moved below to TOP and committed

set rulebase security rules TEST from WAN-zone to WAN-zone source any destination x.x.x.x action allow service service-https application any

rulebase {

security {

rules {

TEST {

from WAN-zone;

to WAN-zone;

source any;

destination x.x.x.x;

action allow;

service service-https;

application any;

but no difference , maybe I should do service application-default , and application ssl

application ssl;

service application-default;

Re: Web Interface access from Internet

niuk — Mon, 01 Dec 2014 20:51:08 GMT

no NAT

Re: Web Interface access from Internet

ssharma — Mon, 01 Dec 2014 20:55:07 GMT

If there is no NAT and security policy allows any source to connect to firewall's IP on 443 and if we still don't see any sessions on firewall. Next step would be take pcap on the firewall and see 443 packets are making it upto the firewall?

How to Run a Packet Capture

See if packets are even making it to the outside interface. Thank you.

Re: Web Interface access from Internet

HULK — Mon, 01 Dec 2014 20:58:57 GMT

Hello Niuk,

You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

> If there is an session exist for the same traffic, then please apply CLI command PAN> show session id XYZ >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc.

> verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc. These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data.

For more information, you can follow the DOC What is the Significance of Global Counters?

> You can enable FLOW BASIC feature to understand the exact reason behind the failure:

> debug dataplane packet-diag clear all

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION

> debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination IP_ADD_OF_THE_TESTING_PC

> debug dataplane packet-diag set log feature flow basic

> debug dataplane packet-diag set log feature tcp all

> debug dataplane packet-diag set filter on

> debug dataplane packet-diag set log on

~~~~~~~~~~~~~~~~ Initiate traffic ( try to access the management interface) ~~~~~~~~~~~~~~~~~~~~~~~~~

> debug dataplane packet-diag set log off

> debug dataplane packet-diag aggregate-logs

> less mp-log pan_packetdiag_log.log

For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands

Hope this helps.

Thanks

Re: Web Interface access from Internet

niuk — Wed, 03 Dec 2014 12:26:20 GMT

The fix was to access web gui on port 4443....I have Global Protect configured, and believe or not , GP swings system https port to 4443