Natting Palo Alto's Management Address?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Natting Palo Alto's Management Address?

L0 Member

Hello.  I currently have the management interface on my PA configured with a IP address on my outside/untrusted network.  I would like to change the management address to an IP on one of my inside/trusted networks.  When I change my management address, how do I configure NAT for this new management address to allow access to outside for Panorama, Palo Alto Network Services, etc. ? 

 

Thanks!

6 REPLIES 6

L7 Applicator

I'm not sure if i understood your question fully but why dont you just go into device\services\service route config and change your external services to your external interface, i assume they already work on that interface....

Thanks for the response.  Using Service Route was my first thoughts, but I had read somewhere that it was not best practice.  I don't recall thier reasoning, I'll have to find it again.

 

 

but do you not already have outgoing (trust to untrust) NAT in place for your outgoing traffic.

 

if so then i would have assumed that your local routing would have pushed  outgoing traffic from management interface via this route.

Hello,

Also make sure you have a policy that allows the traffic, dont inspect it and also dont decrypt it.

 

Regards,

I agree with MickBall.  Either edit your service route config and use an internet routable address to pull from PAN or set your mgmt interface on a subnet with a gateway that routes to the PAN for NAT.  Having your mgmt interface on an internet routable address is a really BAD idea.

Hello,

If you are using a legit certificate for your management interface and are using policies to allow access from only certain IP's (others you own), I dont see why allowing access should be an issue?

 

Just my thoughts.

  • 4474 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!