In many network environments, it's good practice to create an Out Of Band network where the management interfaces of your security appliances and services live so they cannot be compromised by a user with a lot of spare time to try and guess passwords.
This can sometimes create interesting challenges, as your appliances may need to access resources that are not available on the secured network. One example is Palo Alto Networks' integrated User Identification mechanisms, where either the firewall reads security audit logs on an Active Directory server, or the server gets an agent software installed that does the reading and sends the output back to the firewall. If the AD server is not connected to the secured network, a different route needs to be taken to get the information on the firewall.
To assist in this sort of issue, a service route can be configured that redirects connections originating from the management plane, via the backplane, to the dataplane. This will force the outgoing connection to egress from a normal network interface without exposing the management interface (pretty cool, huh?).
To configure a service route:
This will work for both the installed UID agent software and the clientless configuration on the firewall.
if you would like to know more about service routes, please take a look at this article: Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI
Hope you learned a new thing today!
Please feel free to leave a comment or ask questions in the comment section below
Reaper out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
10 Likes | |
8 Likes | |
6 Likes | |
6 Likes | |
5 Likes |
User | Likes Count |
---|---|
28 | |
18 | |
13 | |
10 | |
8 |