Hello. I currently have the management interface on my PA configured with a IP address on my outside/untrusted network. I would like to change the management address to an IP on one of my inside/trusted networks. When I change my management address, how do I configure NAT for this new management address to allow access to outside for Panorama, Palo Alto Network Services, etc. ?
I'm not sure if i understood your question fully but why dont you just go into device\services\service route config and change your external services to your external interface, i assume they already work on that interface....
Thanks for the response. Using Service Route was my first thoughts, but I had read somewhere that it was not best practice. I don't recall thier reasoning, I'll have to find it again.
but do you not already have outgoing (trust to untrust) NAT in place for your outgoing traffic.
if so then i would have assumed that your local routing would have pushed outgoing traffic from management interface via this route.
I agree with MickBall. Either edit your service route config and use an internet routable address to pull from PAN or set your mgmt interface on a subnet with a gateway that routes to the PAN for NAT. Having your mgmt interface on an internet routable address is a really BAD idea.
If you are using a legit certificate for your management interface and are using policies to allow access from only certain IP's (others you own), I dont see why allowing access should be an issue?
Just my thoughts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!