Able to ping management interface but cannot get GUI (over secure IPsec connection)

cancel
Showing results for 
Search instead for 
Did you mean: 

Able to ping management interface but cannot get GUI (over secure IPsec connection)

L0 Member

Have a PA820 connected to a remote machine via IPsec tunnel - Management port has been opened up to access over LAN (works) - and can ping the Management IP over the tunnel - but am not able to connect to the web GUI. Any pointers?

 

Many thanks in advance!

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

Check the logs to see why/if traffic is getting blocked. Did you set restrictions of 'Permitted IP Addresses' can connect to the Mgmt interface?

 

Just a few thoughts.

Hi @OtakarKlier, thanks for the reply! Turned out it was a policy in Policies > Security, which we called "Access from Remote" (which isn't actually remote, but a remote computer on the same LAN we wanted access from). Under Application it had "Ping" which I changed to "Any". Now I am able to ping AND access the web GUI (I assume SSH will work now as well).

 

Question - how much of a security hole is this? What else should I do to secure it even more? I understand having the Mgmt port completely closed off will do the trick - but its a remote office so need to be able to run configurations (and we are not using Panorama)

 

Many thanks

Kay

@kay.sammer,

Well your effectively authorizing that one device to do whatever it wants to the management port of your firewall, which wouldn't be exactly something I would call best practice.

I would modify this security policy so the application is [ ping ssh ssl panos-web-interface ], and then I would only the necissary IPs that need to access this device under Permitted IPs so that no other device can contact the management interface. 

Hello,

I agree with @BPry on locking it down.

 

Cheers!

I have 2 3260 Palo Alto firewalls in 2 data centers. I configured GRE tunnels between 2 Arista Switches and they are in front of Firewalls. I configured OSPF routing protocol. All prefixes are learned by OSPF. Both Firewalls can ping each other of management interfaces. GUI and SSH are not working remotely. I researched but not able to find the right solution. Please reply if you have any solution for this issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!