Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Device not using the default route for Software downloads

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Device not using the default route for Software downloads

L0 Member

Hi,

 

Our PA firewall Device not using the default route for Software downloads or conytent uploads  eventhough no service  routes configured . Any help would be greatly appreciated 

Reagards 

Lijo

1 accepted solution

Accepted Solutions

Hi

 

The management plane and dataplane should be considered 2 different hosts when it comes to network connectivity

 

The management-plane will communicate out of the management port and has an individual default route that is configured in the 'Device' tab of the GUI, you can verify the dafault-gateway through the CLI via:

 

 

> show system info

hostname: myNGFW
ip-address: 10.0.0.241
netmask: 255.255.255.0
default-gateway: 10.0.0.1

> configure 
Entering configuration mode
[edit]                        
# set deviceconfig system default-gateway 10.0.0.1

The management plane will only use the Dataplane's Routing table when service routes are set and a source interface is assigned to certain services. The service route will internally route sessions from the managementplane, onto the backplane, to the dataplane, where it is seated on a source interface's IP address so proper zone and route lookups can be performed, and security policy applied

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

L6 Presenter

Hi...Is the download successful?  Did you configure the DNS server(s) so the PA can resolve the updates server?  

L7 Applicator

By default the path out will be via the mgmt interface.  Is this connected to a network that has access to both DNS and internet?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks all for the valuable responses . The issue has been fixed by adding  Service routes . I was initially checking by service routes in Passive device but that ddint succeded but When added service routes in active device the downloads started working.

 

The Problem I guess is that the management interface is connected to a network where we have a diffrenet default route . 

 

Firewalls has its MGMT IP 10.10.71.24 and 10.10.71.25.

 

FW01(active)> show routing route | match 0.0.0.0
0.0.0.0/0 203.117.20.129 10 A S ethernet1/1.20

 

FW01(active)> traceroute host updates.paloaltonetworks.com
traceroute to updates.paloaltonetworks.com (199.167.52.141), 30 hops max, 40 byte packets
1 (10.10.71.28) 0.564 ms 0.584 ms 0.612 ms
2 (62.6.15.95) 0.726 ms 0.778 ms 0.761 ms
3 (217.32.139.78) 207.832 ms 207.873 ms 207.919 ms
4 (195.165.184.115) 209.578 ms 209.567 ms 209.537 ms
5 (10.10.87.178) 209.893 ms 209.982 ms 210.128 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *

Hi

 

The management plane and dataplane should be considered 2 different hosts when it comes to network connectivity

 

The management-plane will communicate out of the management port and has an individual default route that is configured in the 'Device' tab of the GUI, you can verify the dafault-gateway through the CLI via:

 

 

> show system info

hostname: myNGFW
ip-address: 10.0.0.241
netmask: 255.255.255.0
default-gateway: 10.0.0.1

> configure 
Entering configuration mode
[edit]                        
# set deviceconfig system default-gateway 10.0.0.1

The management plane will only use the Dataplane's Routing table when service routes are set and a source interface is assigned to certain services. The service route will internally route sessions from the managementplane, onto the backplane, to the dataplane, where it is seated on a source interface's IP address so proper zone and route lookups can be performed, and security policy applied

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 2961 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!