topic Re: MGMT interface routing questions in General Topics

MGMT interface routing questions

MikeSangray2019 — Wed, 11 Aug 2021 18:17:50 GMT

When I configure the mgmt interface on its own network and I use the PA for routing, do I need to setup a static route to access the HTTP interface from a different network? Or does a service route take care of this automatically?

I have an HA active/standby pair, do service routes need to be configured on each device?

Re: MGMT interface routing questions

LAYER_8 — Wed, 11 Aug 2021 18:24:51 GMT

If the MGT interface is plugged into a downstream switch that acts as a terminus for your LAN/IAPs, then you can access the MGT portal. If you have your MGT interface isolated on a VLAN, yet still want to access it from the users interface, you would create an interface management profile.

Whatever changes you make to one device, these populate over to the other in an HA pair configuration.

Re: MGMT interface routing questions

Remo — Wed, 11 Aug 2021 19:06:59 GMT

In addition to what @LAYER_8 already wrote. From a dataplane interface you cannot connect to the management interface. Dataplane and management plane have separated routing tables. You can access the cli/webui over a dataplane interface by configuring an interface management profile. But in an active/standby pair this way you will be able to access only the active firewall.

The service routes are used if you want to send some management traffic out of another interface than the management interface (for example that the firewall connect to the update servers directly from the internet facing interface).

In an active/standby high availability pair not everything is synced. All the configurations that are not synced you can find here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha.html