How to configure 1/11 to be dhcp and 1/12 to connect to management PanOS 8.1.10

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure 1/11 to be dhcp and 1/12 to connect to management PanOS 8.1.10

L1 Bithead

We have a setup with a network connection into a PA5020 firewall that has a single out interface configured to a Server. Due to configuration (No Switch) we need to be able to access the Management port via one of the unused  ethernet interfaces with a laptop. We can't set the ip of the laptop but can have it pull a DHCP address. The server does not have GUI support loaded. So what i'm trying to do is

 

Set an interface (1/11) to be a DHCP server and allow connection only to 1/12. We want 1/12 to be a connection to the managment port of the firewall. We want to connect a laptop and access the Management interface via the GUI/Browser. 

Is this possible? I've seen how to set up DHCP and how to use a jumper cable from an interface to the mgt port. But setting the 1/11 and 1/12 to be local /28 ip's i'm getting Virtual router errors when testing the commit. Overlapping ip's. "In virtual-router Management-Router: address 192.168.0.3/28 on interface 1/12 has overlapping subnet with address 192.168.0.3/28 on interface ethernet1/11. (Module: routed)."

I've done the following

Configure 1/11 with 192.168.0.2/28

Configure 1/12 with 192.168.0.3/28

Configure Mgmt-Zone as Layer 3 to include 1/11 and 1/12

Configure Management-Router to include 1/11 and 1/12

Configure DHCP server on interface 1/11 with pool 192.168.0.4-192.168.0.14

 

I haven't even tried to jumper to the mgt port.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Good Day

 

I am not sure if I would agree that you NEED to use the Mgt port at all.

If you configure your interface as it is...

Configure 1/11 with 192.168.0.2/28

 

You can get DHCP from 1/11, but also, you can manage the FW using the 1/11 interface IP.

You would configure an Interface Mgmt Profile to allow things like ping, https, snmp, etc.

 

This makes your configuration so much easier than what you are attempting.  😛

 

Will this work... just a single interface for DHCP and managing the FW?

 

That is one hurdle.... there are more to come.

 

There are about 20 mgmt services (PANW-DB, Panorama, LDAP, Radius, Dynamic Updates, etc., that are expected to be on the mgt.  You can research Service Routes in the admin guide to change them to use either 1/11 vs mgmt.

 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Good Day

 

I am not sure if I would agree that you NEED to use the Mgt port at all.

If you configure your interface as it is...

Configure 1/11 with 192.168.0.2/28

 

You can get DHCP from 1/11, but also, you can manage the FW using the 1/11 interface IP.

You would configure an Interface Mgmt Profile to allow things like ping, https, snmp, etc.

 

This makes your configuration so much easier than what you are attempting.  😛

 

Will this work... just a single interface for DHCP and managing the FW?

 

That is one hurdle.... there are more to come.

 

There are about 20 mgmt services (PANW-DB, Panorama, LDAP, Radius, Dynamic Updates, etc., that are expected to be on the mgt.  You can research Service Routes in the admin guide to change them to use either 1/11 vs mgmt.

 

 

Help the community: Like helpful comments and mark solutions

Thank you very much. i'm on it now. 

  • 1 accepted solution
  • 3014 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!