Default Management Ports in PAN OS 7.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Default Management Ports in PAN OS 7.1

L2 Linker

Hi all

 

The standard guide for configuring a PANW Firewall to allow access to HTTPS/SSH etc from the outside has been this link: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Por...

 

But with the release of PAN OS 7, the provided instructions no longer work. A loopback interface cannot share an IP address with the management interface.

 

Given this, what would be the appropriate way to configure Security & NAT policies to allow access to HTTPS management on a non-standard port from an Untrusted interface?

 

I tried setting the loopback to 192.168.1.2 and 192.168.2.1 (and updating the appropriate Policies of course), but had no luck. Does anyone have any insight to share?

 

(FYI: obviously I'm aware of the security implications in allowing access to management via HTTPS over the WAN, this is a temporary requirement to pre-stage devices, send them to site, and configure them remotely once they arrive. When the configuration has been completed, management via the WAN will be disabled)

 

Thanks

 

Sam

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi Sam

 

This article does not stipulate the IP on the loopback should be the management interface, but I see in the comments this appears to be misleading, I will add a note in the article (the connection is made to the management profile active on the interface on the dataplane rather than a redirect to the physical management interface)

 

litteraly any ip on the loopback will do the trick, as long as it is not already assigned to the dataplane or management interfaces and preferably one that is not routed anywhere else in the organization to prevent conflicts

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L6 Presenter

I don't know the answer to your question.

 

But if you have static IP where you are and on the device you are deploying; just leave MGMT access on 443 and limit it to just your public IP address?

Thanks for your response

 

Possibly I am doing something wrong then - I configured everything as per the article, except for using 192.168.2.1 as the loopback IP address, and was unable to gain management access via the alternative port.

 

The WAN address was configured with a /30 (i.e. 1.2.3.4/30). I tested via a laptop connected to the Ethernet Inteferace in the Untrusted zone, configured with an interface address of 1.2.3.5/30. When I attempted to access 1.2.3.4:8443, there was no response.

 

I had a PAT rule in place with using a custom Service object of 8443, and the PAT rule translated the destination to 192.168.2.1:443. There was a Security policy allowing access from the Untrusted to Trusted zones, as per the instructions, and the loopback interface was configured with a Management profile allowing access via HTTPS.

 

When I configured the Etehrnet Interface in the Untrusted zone with the same Management Profiles, I was able to access https://1.2.3.4:443. But I was still unable to access https://1.2.3.4:8443

 

Is there anything obvious I may have overlooked?

 

Sam

ok so to make sure i wasn't completely sending you into the woods or anything i did a quick replication, and it works, lemme add some screenshots:

 

the external IP of my lab firewallthe loopback interface with a wildly random IP, management profile 'all' and inside the trust zonethe mgmt profile allowing me http, https ans ssh

 

 

the NAT rule points at the IP assigned to my external interface on port 7777 and translates to the loopback IP on port 443 (second one for sanity check)2 nat rules, the top one to redirect 7777 to ssl, the bottom one as a sanity check to see if normal nat also worked, they both do

security policy

the interface on 7777

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper

 

Thanks for the detailed response, I appreciate the assistance

 

That looks pretty much like how I set it up, but I'll double-check when I'm back at the office tomorrow and let you know

 

Hopefully I missed something simple

 

Thanks again!

 

Sam

  • 5078 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!