- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-08-2016 07:11 AM
Hi,
Our PA firewall Device not using the default route for Software downloads or conytent uploads eventhough no service routes configured . Any help would be greatly appreciated
Reagards
Lijo
04-11-2016 02:04 AM
Hi
The management plane and dataplane should be considered 2 different hosts when it comes to network connectivity
The management-plane will communicate out of the management port and has an individual default route that is configured in the 'Device' tab of the GUI, you can verify the dafault-gateway through the CLI via:
> show system info hostname: myNGFW ip-address: 10.0.0.241 netmask: 255.255.255.0 default-gateway: 10.0.0.1 > configure Entering configuration mode [edit] # set deviceconfig system default-gateway 10.0.0.1
The management plane will only use the Dataplane's Routing table when service routes are set and a source interface is assigned to certain services. The service route will internally route sessions from the managementplane, onto the backplane, to the dataplane, where it is seated on a source interface's IP address so proper zone and route lookups can be performed, and security policy applied
04-08-2016 07:14 AM
Hi...Is the download successful? Did you configure the DNS server(s) so the PA can resolve the updates server?
04-09-2016 11:53 AM
By default the path out will be via the mgmt interface. Is this connected to a network that has access to both DNS and internet?
04-10-2016 10:01 PM
Thanks all for the valuable responses . The issue has been fixed by adding Service routes . I was initially checking by service routes in Passive device but that ddint succeded but When added service routes in active device the downloads started working.
The Problem I guess is that the management interface is connected to a network where we have a diffrenet default route .
Firewalls has its MGMT IP 10.10.71.24 and 10.10.71.25.
FW01(active)> show routing route | match 0.0.0.0
0.0.0.0/0 203.117.20.129 10 A S ethernet1/1.20
FW01(active)> traceroute host updates.paloaltonetworks.com
traceroute to updates.paloaltonetworks.com (199.167.52.141), 30 hops max, 40 byte packets
1 (10.10.71.28) 0.564 ms 0.584 ms 0.612 ms
2 (62.6.15.95) 0.726 ms 0.778 ms 0.761 ms
3 (217.32.139.78) 207.832 ms 207.873 ms 207.919 ms
4 (195.165.184.115) 209.578 ms 209.567 ms 209.537 ms
5 (10.10.87.178) 209.893 ms 209.982 ms 210.128 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
04-11-2016 02:04 AM
Hi
The management plane and dataplane should be considered 2 different hosts when it comes to network connectivity
The management-plane will communicate out of the management port and has an individual default route that is configured in the 'Device' tab of the GUI, you can verify the dafault-gateway through the CLI via:
> show system info hostname: myNGFW ip-address: 10.0.0.241 netmask: 255.255.255.0 default-gateway: 10.0.0.1 > configure Entering configuration mode [edit] # set deviceconfig system default-gateway 10.0.0.1
The management plane will only use the Dataplane's Routing table when service routes are set and a source interface is assigned to certain services. The service route will internally route sessions from the managementplane, onto the backplane, to the dataplane, where it is seated on a source interface's IP address so proper zone and route lookups can be performed, and security policy applied
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!