Natting Palo Alto's Management Address?

L0 Member

Natting Palo Alto's Management Address?

Hello.  I currently have the management interface on my PA configured with a IP address on my outside/untrusted network.  I would like to change the management address to an IP on one of my inside/trusted networks.  When I change my management address, how do I configure NAT for this new management address to allow access to outside for Panorama, Palo Alto Network Services, etc. ? 

 

Thanks!

Tags (2)
L6 Presenter

Re: Natting Palo Alto's Management Address?

I'm not sure if i understood your question fully but why dont you just go into device\services\service route config and change your external services to your external interface, i assume they already work on that interface....

L0 Member

Re: Natting Palo Alto's Management Address?

Thanks for the response.  Using Service Route was my first thoughts, but I had read somewhere that it was not best practice.  I don't recall thier reasoning, I'll have to find it again.

 

 

L6 Presenter

Re: Natting Palo Alto's Management Address?

but do you not already have outgoing (trust to untrust) NAT in place for your outgoing traffic.

 

if so then i would have assumed that your local routing would have pushed  outgoing traffic from management interface via this route.

L7 Applicator

Re: Natting Palo Alto's Management Address?

Hello,

Also make sure you have a policy that allows the traffic, dont inspect it and also dont decrypt it.

 

Regards,

L4 Transporter

Re: Natting Palo Alto's Management Address?

I agree with MickBall.  Either edit your service route config and use an internet routable address to pull from PAN or set your mgmt interface on a subnet with a gateway that routes to the PAN for NAT.  Having your mgmt interface on an internet routable address is a really BAD idea.

L7 Applicator

Re: Natting Palo Alto's Management Address?

Hello,

If you are using a legit certificate for your management interface and are using policies to allow access from only certain IP's (others you own), I dont see why allowing access should be an issue?

 

Just my thoughts.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!