I am following the document PAN OS 6.0 Admin Guide. Since my management port does not have internet access, I have to setup a data port for external access and updates. So the mentioned document, in the section called "Set Up Network Access for External Services", it is suggested that I should configure 2 ports, one on internal zone say (l3-trust) and one external facing port (in the zone lets say l3-untrust) Then create a security policy to allow traffic between these 2 zones and if needed create a NAT policy.
However, I have only one port on FW available and I have public IP for that. So can I just configure that port into an external facing zone and change the "Service Route Configuration" in the FW to get updates via this configured data port? Will this work?
Thanks a lot!
You have to select a physical port ( dataplane interface) in order to get management access through a data-plane interface. Belo mentioned documents will help you for the same.
Hope this helps.
Yes you can use the dataplane port to use it for updates. All you have to do is to setup service routes for whatever updates you need, to use that dataplane interface. Please ensure the following:
-your DNS can resolve to updates.paloaltonetworks.com,
-There is no deny all rule which can block this traffic
-Any upstream device via that interface must allow access on port 443.
Please refer to the above document referred by Hulk for assistance with service route.
Please make sure you have configured DNS with the service route through the data-plane interface. Because the URL ( updates.paloaltonetworks.com) will first resolve to an IP address from the DNS then it will try to reach the Palo Alto Update server.
i think you have not understood my question.
I understand that i can set up a dataport to get the updates. However the admin guide suggests that I should configure 2 dataports. So the admin guide basically says:
1. Configure one data port, for example, e1, and give it a static IP address, put it in a inside zone for example lets say L3-trust and attach a management profile allowing ping.
2. Configure another data port, for example, e2, which is facing internet. Give it an IP and put it in an external zone lets say L3-Untrust.
3. Confgure a security policy allowing traffic between L3-Trust and L3-Untrust zones.
4. In Service Route Configuration, select the interface e1 for the required services.
Now my question is:
Instead of setting up 2 data ports and then allowing traffic between them, can I directly select the external facing port, that is port e2 in above example, and then in the Service Route Configuration, select e2 for the required services, so that I get the updates?
As per the Admin-guide, it is suggested to configure an internal interface ( trust-L3) with an management profile for below mentioned reasons.
> More visibility on traffic, passing through the firewall. You need to configure a security policy from Trust-L3 to Untrust-L3 ( if you select Untrust L3, no security policy require in this case. Since intra zone traffic will be allowed by default, until you have a DENY_ALL rule at the bottom)
> Not to configure a management profile on the public facing interface, which potentially cause a DOS attack on your firewall.
> Specific NAT rule "from zone TRUST-L3 to Untrust L3", instead of "ANY to Untrust L-3"
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!