Maintenance Page redirection via Palo Alto?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Maintenance Page redirection via Palo Alto?

L4 Transporter

Hey folks,

 

We have an HQ site and Colo site.  We are moving our Colo site to a new datacenter.

 

We have two firewalls in HA.  I've already broken HA and taken the PA#2 over to new datacenter for early standup.  Leaving PA#1 at current site Active with user connections, until move day.

 

On move day, I have this request (requirement) from management that says, "we need a maintenance page during the move that we can set without having to change Public DNS records" (Network Solutions).  The question from management is "Can't we just re-route all incoming requests to our current Public IPs into Colo firewall to a specific external (anywhere) IP address maintenance page"?  

 

They are trying to eliminate having to change our Public DNS records twice (saving propagation time).  Instead of having to change once for maintenance page and once for new IP, do this "re-route" at the firewall option temporary, and remove when making Public DNS records change once.

 

Any thoughts about it?

 

 

1 accepted solution

Accepted Solutions

@OMatlock,

Right. If you have your stuff setup with a wildcard cert that's less of an issue, as the cert technically would cover your maintenance page. For anything that isn't setup like that though you would need a SAN on the cert of your maintenance page to actually include the new host or url in question. 

 

I would just reset the NAT rules to point towards your new maintenance page host. So instead of actually hitting your web-server for example it would hit the server hosting this static page. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@OMatlock,

You could do this but you would need to forward it to something that has a cert with a SAN of everything publically accessable to stop it from throwing a security certificate error. Not a hard thing to do. 

Thank you @BPry

 

Yea, you mean because the IP would change (via NAT I assume) tipping off the certificate for our services? 

We do have several.  We do have a wild card in place, but not for everything.

 

From the sounds of it, may not have enough time (with everything else) to get that setup.

 

From a networking level.  How would this be done?  I mean, Colo firewall could catch certain Public IP requests and "re-direct" them elsewhere?  Is that a NAT rule?

@OMatlock,

Right. If you have your stuff setup with a wildcard cert that's less of an issue, as the cert technically would cover your maintenance page. For anything that isn't setup like that though you would need a SAN on the cert of your maintenance page to actually include the new host or url in question. 

 

I would just reset the NAT rules to point towards your new maintenance page host. So instead of actually hitting your web-server for example it would hit the server hosting this static page. 

L6 Presenter

@OMatlock wrote:

 

 

They are trying to eliminate having to change our Public DNS records twice (saving propagation time).  Instead of having to change once for maintenance page and once for new IP, do this "re-route" at the firewall option temporary, and remove when making Public DNS records change once.

 

Any thoughts about it?

 

 


 

What about lowering the TTL on the existing record to a time that would make changes more efficient? 

Thank you @BPry

Thank you @Brandon_Wertz

 

Yea, I am going to test a laptop hanging off our new location tomorrow with our wildcard and test some stuff out.

We use Network Solutions.  Their default TTL is 2 hours.  We may lower it to their minimum of 1 hour.

 

Thanks for y'alls feedback!

@BPry

 

Thank you!!  This worked out.  Changed all NAT rules to our maintenance page (on a laptop w/IIS).

We even installed our Wildcard it worked out for what we needed.

  • 1 accepted solution
  • 4236 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!