Not able to access Management interface of Palo Alto Firewall From the Permitted IP range
54162
Created On 09/25/18 19:38 PM - Last Modified 06/02/23 09:46 AM
Symptom
-As a part of our management interface feature, the "Permitted IP Addresses" section helps to restrict access from unwanted hosts/subnets to the management interface.
- After configuring "Permitted IP Addresses" on the Management interface, CLI or GUI, access to the Firewall is not working even though we are trying to access the firewall from the configured Permitted IP address range.
- This option can be found in the WebGUI > Device > Setup > Interfaces:
- In the case of GUI access via https, If we troubleshoot this on the source machine we can see that the SSL handshake starts, but the (Server Hello) SSL handshake packet is not received on the machine.
- Taking a Packet capture on the Management interface of the firewall, we can see that the (Server Hello) packet is being sent.
Cause
- The (Server Hello) packet is being dropped by a device along the path due to Interface MTU issues. (the device Egress interface MTU is lower than the (Server Hello) packet MTU.
- When the device drops the (Server Hello) Packet, it sends back an ICMP error Message (Type 3 Code 4 Destination Unreachable, Fragmentation Needed) to the firewall, this message informs the Firewall that there is a Lower MTU value along the Path, and the (Server Hello) Packet needs fragmentation.
- The Source of this ICMP packet will be the device which dropped the (Server Hello) packet. Because the Permit IP list only contains the source machine subnet range, this ICMP packet will be dropped by the firewall and the firewall will never know that the (Server Hello) packet is being dropped and that it needs fragmentation.
- The only exception is ICMP echo reply(Type0/Code0) for echo request from the management interface. Hence ping from the management interface will not be affected by the "Permitted IP Addresses".
Resolution
There are 3 solutions for such scenario, and implementing one of them depends on your network needs:
1- Lower the MTU of the management interface of the Palo Alto Firewall to avoid the device along the path from dropping the (Server Hello) packet.
2- Increase the MTU of the Egress interface of the device along the path to avoid dropping the (Server Hello) packet.
3- Add the source IP address of the ICMP error message (Destination Unreachable, Fragmentation Needed) to the "Permitted IP Addresses" list.
Additional Information
- Even if there is no Permit IP list configured, the same scenario can occur if we don't have (Ping) Service enabled on the Management Interface.
- The ICMP error message indicating that fragmentation is needed will be dropped by the firewall and it will never know that the (Server Hello) packet is being dropped and that it needs fragmentation.
- The issue can be fixed by enabling the (Ping) Service on the management interface.
- The same issue can also occur on dataplane interfaces with a Management Profile configured with Permit IP list or No (Ping) service enabled.