I got a simple question for you:
Is it possible to literally disable/shutdown mgmt interface, via CLI or webUI, in a VM enviroment when is not needed?
I notice a DNS issue after we have deleted the IP address assigned to the MGMT interface via cli with command:
"delete deviceconfig system ip-address"
Obviously we have made PA reachable from another interface ethernet1/1, configuring every "service route configuration" on this specific ethernet1/1.
Unfortunately DNS queries were not working properly even if service route configuration was set on ethernet1/1.
I configured fake IP address on MGMT interface.. and guess what happened? DNS queries start working properly.
From my point of view this kind of command "delete deviceconfig system ip-address" should be banned haha :)
In order to avoid future issues, is there a way to clean the entire mgmt configuration or literally shut down it?
I don't believe that you can actually disable the port completely. You can disable it to the point where it's essentially a nothing port, but I think it'll always be 'enabled'. Which is kind of odd, because it makes it seem like you can disable it completely in the GUI?
In VM environment uncheck "Connected" and "Connect at power on" in VM setting on Network adapter 1.
Network adapter 1 - Palo mgmt
Network adapter 2 - ethernet1/1
Thank you for your reply! Sorry for the wait I was very busy during these week.
Via GUI there was no way to disable mgmt interface but via CLI was possible to issue command mentioned in my post.
It has caused some strange issues with DNS, PA-VM sometimes was able to solve domains and sometimes not.
That's why I'm asking if there is a way to disable mgmt interface or leaves it without IP when is not needed.
I know I've seen what you described, infact starting from this mechanism (NIC0 = mgmt NIC1= eth1 etc. ...) my question is if it's possible to disable mgmt interface when is not needed.
But no problem guys at the end I have basically assigned to mgmt a non-used IP 220.127.116.11 and I have finalized my configuration on eth1 :)
Thanks for your reply!
Just FYI, you may want to switch to a proper RFC address instead of using an IP address that is actually assigned to Orange in the France ;)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!