08-24-2016 04:48 AM
Hi all
The standard guide for configuring a PANW Firewall to allow access to HTTPS/SSH etc from the outside has been this link: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Por...
But with the release of PAN OS 7, the provided instructions no longer work. A loopback interface cannot share an IP address with the management interface.
Given this, what would be the appropriate way to configure Security & NAT policies to allow access to HTTPS management on a non-standard port from an Untrusted interface?
I tried setting the loopback to 192.168.1.2 and 192.168.2.1 (and updating the appropriate Policies of course), but had no luck. Does anyone have any insight to share?
(FYI: obviously I'm aware of the security implications in allowing access to management via HTTPS over the WAN, this is a temporary requirement to pre-stage devices, send them to site, and configure them remotely once they arrive. When the configuration has been completed, management via the WAN will be disabled)
Thanks
Sam
08-24-2016 05:19 AM
Hi Sam
This article does not stipulate the IP on the loopback should be the management interface, but I see in the comments this appears to be misleading, I will add a note in the article (the connection is made to the management profile active on the interface on the dataplane rather than a redirect to the physical management interface)
litteraly any ip on the loopback will do the trick, as long as it is not already assigned to the dataplane or management interfaces and preferably one that is not routed anywhere else in the organization to prevent conflicts
08-24-2016 05:22 AM
I don't know the answer to your question.
But if you have static IP where you are and on the device you are deploying; just leave MGMT access on 443 and limit it to just your public IP address?
08-24-2016 06:36 AM
Thanks for your response
Possibly I am doing something wrong then - I configured everything as per the article, except for using 192.168.2.1 as the loopback IP address, and was unable to gain management access via the alternative port.
The WAN address was configured with a /30 (i.e. 1.2.3.4/30). I tested via a laptop connected to the Ethernet Inteferace in the Untrusted zone, configured with an interface address of 1.2.3.5/30. When I attempted to access 1.2.3.4:8443, there was no response.
I had a PAT rule in place with using a custom Service object of 8443, and the PAT rule translated the destination to 192.168.2.1:443. There was a Security policy allowing access from the Untrusted to Trusted zones, as per the instructions, and the loopback interface was configured with a Management profile allowing access via HTTPS.
When I configured the Etehrnet Interface in the Untrusted zone with the same Management Profiles, I was able to access https://1.2.3.4:443. But I was still unable to access https://1.2.3.4:8443
Is there anything obvious I may have overlooked?
Sam
08-24-2016 08:03 AM
ok so to make sure i wasn't completely sending you into the woods or anything i did a quick replication, and it works, lemme add some screenshots:
the NAT rule points at the IP assigned to my external interface on port 7777 and translates to the loopback IP on port 443 (second one for sanity check)
08-24-2016 08:21 AM
Hi Reaper
Thanks for the detailed response, I appreciate the assistance
That looks pretty much like how I set it up, but I'll double-check when I'm back at the office tomorrow and let you know
Hopefully I missed something simple
Thanks again!
Sam
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
