This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Able to ping management interface but cannot get GUI (over secure IPsec connection)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Able to ping management interface but cannot get GUI (over secure IPsec connection)

kay.sammer
L0 Member

‎02-01-2019 09:59 AM

Have a PA820 connected to a remote machine via IPsec tunnel - Management port has been opened up to access over LAN (works) - and can ping the Management IP over the tunnel - but am not able to connect to the web GUI. Any pointers?

 

Many thanks in advance!

1 person had this problem.
0 Likes Likes
5 REPLIES 5

OtakarKlier
Cyber Elite
Cyber Elite

‎02-01-2019 01:31 PM

Hello,

Check the logs to see why/if traffic is getting blocked. Did you set restrictions of 'Permitted IP Addresses' can connect to the Mgmt interface?

 

Just a few thoughts.

0 Likes Likes

kay.sammer
L0 Member
In response to OtakarKlier

‎02-02-2019 04:05 AM

Hi @OtakarKlier, thanks for the reply! Turned out it was a policy in Policies > Security, which we called "Access from Remote" (which isn't actually remote, but a remote computer on the same LAN we wanted access from). Under Application it had "Ping" which I changed to "Any". Now I am able to ping AND access the web GUI (I assume SSH will work now as well).

 

Question - how much of a security hole is this? What else should I do to secure it even more? I understand having the Mgmt port completely closed off will do the trick - but its a remote office so need to be able to run configurations (and we are not using Panorama)

 

Many thanks

Kay

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to kay.sammer

‎02-02-2019 07:12 AM

@kay.sammer,

Well your effectively authorizing that one device to do whatever it wants to the management port of your firewall, which wouldn't be exactly something I would call best practice.

I would modify this security policy so the application is [ ping ssh ssl panos-web-interface ], and then I would only the necissary IPs that need to access this device under Permitted IPs so that no other device can contact the management interface. 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to BPry

‎02-02-2019 04:50 PM

Hello,

I agree with @BPry on locking it down.

 

Cheers!

0 Likes Likes

Mrahman1
L0 Member
In response to OtakarKlier

‎02-07-2021 06:46 PM

I have 2 3260 Palo Alto firewalls in 2 data centers. I configured GRE tunnels between 2 Arista Switches and they are in front of Firewalls. I configured OSPF routing protocol. All prefixes are learned by OSPF. Both Firewalls can ping each other of management interfaces. GUI and SSH are not working remotely. I researched but not able to find the right solution. Please reply if you have any solution for this issue.

0 Likes Likes
  • 7499 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks