This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

External Data Port Cabling

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

External Data Port Cabling

Go to solution
Neo.The.One
L2 Linker

‎10-29-2014 02:18 AM

Hallo

i am setting up a new PA 3050 FW. I dont want to use the management port to connect to internet and download updates. So I am following the admin guide to "Set up an External Data Port" for updates. Now as per that:

1. I set up a port, say e1/4 on PA 3050, as an internal port in "L3-Trust" Zone and give it a static IP address 192.168.35.100.

2. I set up an external facing port, say e1/5, in zone "L3-Untrust". This port is connected to my ISP Router and has a publicly routable IP.


Where should I cable the internal facing port e1/4 mentioned in point 1 above? Can I somehow NAT the private address to use the Interface e1/5 IP address?


Thanks!

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
HULK
L7 Applicator

‎10-29-2014 04:30 AM

Hello Amit,

Ethernet-1/4 should be connected to your LAN segment ( there is no physical connection required between MGMT interface and L3-Trust interface) and you need a valid NAT & security policy for all outgoing traffic through L3-Untrust (towards internet).

For an Example: I am using Ethernet 1/3 -192.168.10.100( L3-Trust interface) for my service route.

service-route.jpg

Hope this helps.

Thanks

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
HULK
L7 Applicator

‎10-29-2014 04:30 AM

Hello Amit,

Ethernet-1/4 should be connected to your LAN segment ( there is no physical connection required between MGMT interface and L3-Trust interface) and you need a valid NAT & security policy for all outgoing traffic through L3-Untrust (towards internet).

For an Example: I am using Ethernet 1/3 -192.168.10.100( L3-Trust interface) for my service route.

service-route.jpg

Hope this helps.

Thanks

0 Likes Likes

Go to solution
HULK
L7 Applicator

‎10-29-2014 04:39 AM

Answer to your last query: Yes, you can create a source-NAT for all private address to use the Interface 1/5 IP address.


FYI: In this example, i am using ethernet-1/1 as my L3-Untrust interface ( towards ISP).


NAT RULE:

test-NAT.jpg

Thanks

Go to solution
hshah
L6 Presenter

‎10-29-2014 06:48 AM

Hi Amit,

You can achieve this through service route. I would suggest to have PANW updates through untrust interface directly. That way you dont need any special NAT or Security policy. Its much simpler.

Device > Setup > Services > Service route Configuration > Customize > Palo Alto Networks Updates through Ethernet 1/5.

This should work.

Regards,

Hardik Shah

Go to solution
hshah
L6 Presenter

‎10-29-2014 06:49 AM

And if you want to have updates from ethernet 1/3 than NAT and aditional security policy might require. Which is extra over had.

In that case in above step select interface Ethernet 1/3 to route the PANW update traffic. I dont see any necessity of it.

Go to solution
HULK
L7 Applicator
In response to hshah

‎10-29-2014 07:09 AM

Even if you will configure the service route ( through through Ethernet 1/5-Untrust interface), I hope you have to configure a "Untrust-to Untrust" security rule to allow traffic for management. Which will potentially allow anyone from internet to initiate an attack ( not recommended). There should be some valid logic, why ADMIN guide suggested to have a L3-Trust interface for service route.

Try to understand the fact, instead of "extra over had" Smiley Happy

Thanks

Go to solution
hshah
L6 Presenter
In response to HULK

‎10-29-2014 07:16 AM

Hi Hulk,

There is a default policy which allows "Untrust to Untrust" Traffic. I dont see any security threat with that. Do you see ?

Regards,

Hardik Shah

0 Likes Likes

Go to solution
HULK
L7 Applicator
In response to hshah

‎10-29-2014 07:19 AM

Most of the customers will not have a default allow rule in their production network, which will allow all unwanted traffic through the firewall. Hence, we should suggest some resolution which will be valid and secure for a production network. Smiley Happy

Thanks

0 Likes Likes
  • 1 accepted solution
  • 2876 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks