Web Interface access from Internet

Reply
Highlighted
L3 Networker

Web Interface access from Internet

I have PA-200 connected to Internet , but mgmt interface disconnected right now. Do I have to piggyback mgmt to one of remaining Ethernet interfaces in order to get access to web interface from Internet ? Plus port forward rule ?Let me know

Tags (1)
Highlighted
L5 Sessionator

Re: Web Interface access from Internet

Yes, you can assign management profile to the outside interface and access it to manage device.

You can use following document :

How to Create a Management Profile using the CLI

In this example, we assume ethernet 1/3 is your outside network. Hope this helps. Thank you.

Highlighted
L3 Networker

Re: Web Interface access from Internet

Do you know how to show/display current mgmt interface profiles ?

Highlighted
L4 Transporter

Re: Web Interface access from Internet

pa> show interface <interface>

Interface management profile: allow_all

  ping: yes  telnet: yes  ssh: yes  http: yes  https: yes 

  snmp: yes  response-pages: no  userid-service: no

Highlighted
L3 Networker

Re: Web Interface access from Internet

So here it is , replaced my public with x's. I have ping/https/ssh I can ping and ssh but no https to web interface .

Name: ethernet1/1, ID: 16

Operation mode: layer3

Virtual router default

Interface MTU 1500

Interface IP address: x.x.x.x/24

Interface management profile: untrust-mgmt

  ping: yes  telnet: no  ssh: yes  http: no  https: yes 

  snmp: no  response-pages: no  userid-service: no

Service configured: SSL-VPN

Zone: WAN-zone, virtual system: vsys1

Highlighted
L5 Sessionator

Re: Web Interface access from Internet

Hi Niuk,

Do you have deny any any policy by any chance? Also can you check on Traffic logs and check for your source address from internet and destination on 443 and see if it is denied? Thank you.

Highlighted
L3 Networker

Re: Web Interface access from Internet

I think there is default deny interzone. But how to find drop logs using my ssh access only ? I don't have web access temporarily :smileywink:

Highlighted
L6 Presenter

Re: Web Interface access from Internet

show log traffic action equal deny dport equal 80(or 443) to equal X.X.X.X

Highlighted
L5 Sessionator

Re: Web Interface access from Internet

Assuming your public ip is 1.1.1.1 and firewall's outside interface is 5.5.5.5, try to access https://5.5.5.5

Then on the CLI, run

show session all filter source 1.1.1.1 destination 5.5.5.5 destination-port 443

See if you see anything there, if possible paste the output of "show session id <>" for any session that matches above show session command. Thank you.

Highlighted
L3 Networker

Re: Web Interface access from Internet

I dont see any 443 neither denied  nor allowed, see below. Also output of 'show counter global name flow_host_service_deny'

admin@PA-200-1> show log traffic action equal deny dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show log traffic action equal allow dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show counter global name flow_host_service_deny

Name:           flow_host_service_deny

Value:          80

Severity:       Drop

Category:       flow

Aspect:         mgmt

Desciption:     Device management session denied

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!