Set Up Data Port for external services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Set Up Data Port for external services

L2 Linker

Hallo all,

I am following the document PAN OS 6.0 Admin Guide. Since my management port does not have internet access, I have to setup a data port for external access and updates. So the mentioned document, in the section called "Set Up Network Access for External Services", it is suggested that I should configure 2 ports, one on internal zone say (l3-trust) and one external facing port (in the zone lets say l3-untrust) Then create a security policy to allow traffic between these 2 zones and if needed create a NAT policy.

However, I have only one port on FW available and I have  public IP for that. So can I just configure that port into an external facing zone and change the "Service Route Configuration" in the FW to get updates via this configured data port? Will this work?

Thanks a lot!

7 REPLIES 7

L7 Applicator

Hello Amit,

You have to select a physical port ( dataplane interface) in order to get management access through a data-plane interface. Belo mentioned documents will help you for the same.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

How To Verify If Service Routes Are Correctly Installed in Management Plane

Hope this helps.

Thanks

Hello Amit,

Yes you can use the dataplane port to use it for updates. All you have to do is to setup service routes for whatever updates you need, to use that dataplane interface. Please ensure the following:

-your DNS can resolve to updates.paloaltonetworks.com,

-There is no deny all rule which can block this traffic

-Any upstream device via that interface must allow access on port 443.

Please refer to the above document referred by Hulk for assistance with service route.

Regards,

Dileep

L7 Applicator

Hello Amit,

Please make sure you have configured DNS with the service route through the data-plane interface. Because the URL ( updates.paloaltonetworks.com) will first resolve to an IP address from the DNS then it will try to reach the Palo Alto Update server.

Thanks

L2 Linker

Hi Guys,

i think you have not understood my question.

I understand that i can set up a dataport to get the updates. However the admin guide suggests that I should configure 2 dataports. So the admin guide basically says:

1. Configure one data port, for example, e1, and give it a static IP address, put it in a inside zone for example lets say L3-trust and attach a management profile allowing ping.

2. Configure another data port, for example, e2, which is facing internet. Give it an IP and put it in an external zone lets say L3-Untrust.

3. Confgure a security policy allowing traffic between L3-Trust and L3-Untrust zones.

4. In Service Route Configuration, select the interface e1 for the required services.

Now my question is:

Instead of setting up 2 data ports and then allowing traffic between them, can I directly select the external facing port, that is port e2 in above example, and then in the Service Route Configuration, select e2 for the required services, so that I get the updates?

Thanks!

Yes, you can do it.

Hello Amit,

As per the Admin-guide, it is suggested to configure an internal interface ( trust-L3) with an management profile for below mentioned reasons.


> More visibility on traffic, passing through the firewall. You need to configure a security policy from Trust-L3 to Untrust-L3 ( if you select Untrust L3, no security policy require in this case. Since intra zone traffic will be allowed by default, until you have a DENY_ALL rule at the bottom) 

> Not to configure a management profile on the public facing interface, which potentially cause a DOS attack on your firewall.

> Specific NAT rule "from zone TRUST-L3 to Untrust L3", instead of "ANY to Untrust L-3"


Hope this helps.


Thanks

L2 Linker

If there are any issues while using management interface then you can always look at the logs under

> tail follow yes mp-log ms.log

  • 3849 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!