Maintenance Page redirection via Palo Alto?

L4 Transporter

Maintenance Page redirection via Palo Alto?

Hey folks,

 

We have an HQ site and Colo site.  We are moving our Colo site to a new datacenter.

 

We have two firewalls in HA.  I've already broken HA and taken the PA#2 over to new datacenter for early standup.  Leaving PA#1 at current site Active with user connections, until move day.

 

On move day, I have this request (requirement) from management that says, "we need a maintenance page during the move that we can set without having to change Public DNS records" (Network Solutions).  The question from management is "Can't we just re-route all incoming requests to our current Public IPs into Colo firewall to a specific external (anywhere) IP address maintenance page"?  

 

They are trying to eliminate having to change our Public DNS records twice (saving propagation time).  Instead of having to change once for maintenance page and once for new IP, do this "re-route" at the firewall option temporary, and remove when making Public DNS records change once.

 

Any thoughts about it?

 

 

L7 Applicator

Re: Maintenance Page redirection via Palo Alto?

@OMatlock,

You could do this but you would need to forward it to something that has a cert with a SAN of everything publically accessable to stop it from throwing a security certificate error. Not a hard thing to do. 

L4 Transporter

Re: Maintenance Page redirection via Palo Alto?

Thank you @BPry

 

Yea, you mean because the IP would change (via NAT I assume) tipping off the certificate for our services? 

We do have several.  We do have a wild card in place, but not for everything.

 

From the sounds of it, may not have enough time (with everything else) to get that setup.

 

From a networking level.  How would this be done?  I mean, Colo firewall could catch certain Public IP requests and "re-direct" them elsewhere?  Is that a NAT rule?

L7 Applicator

Re: Maintenance Page redirection via Palo Alto?

@OMatlock,

Right. If you have your stuff setup with a wildcard cert that's less of an issue, as the cert technically would cover your maintenance page. For anything that isn't setup like that though you would need a SAN on the cert of your maintenance page to actually include the new host or url in question. 

 

I would just reset the NAT rules to point towards your new maintenance page host. So instead of actually hitting your web-server for example it would hit the server hosting this static page. 

L6 Presenter

Re: Maintenance Page redirection via Palo Alto?


@OMatlock wrote:

 

 

They are trying to eliminate having to change our Public DNS records twice (saving propagation time).  Instead of having to change once for maintenance page and once for new IP, do this "re-route" at the firewall option temporary, and remove when making Public DNS records change once.

 

Any thoughts about it?

 

 


 

What about lowering the TTL on the existing record to a time that would make changes more efficient? 

L4 Transporter

Re: Maintenance Page redirection via Palo Alto?

Thank you @BPry

Thank you @Brandon_Wertz

 

Yea, I am going to test a laptop hanging off our new location tomorrow with our wildcard and test some stuff out.

We use Network Solutions.  Their default TTL is 2 hours.  We may lower it to their minimum of 1 hour.

 

Thanks for y'alls feedback!

L4 Transporter

Re: Maintenance Page redirection via Palo Alto?

@BPry

 

Thank you!!  This worked out.  Changed all NAT rules to our maintenance page (on a laptop w/IIS).

We even installed our Wildcard it worked out for what we needed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!