Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

management interface & service route configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

management interface & service route configuration

L0 Member

Hello
I am new in palo alto, I did a self-training
I would like to have more details about the relation between the management interface and the service route configuration
I have a little bit stuck on when to use the route configuration service
I think there are some webgui ways to manage the AP:
-directly connect a pc to Mgmt interface
-connect mgmt interface to switch with dedicated vlan
- connect mgmt interface to switch in the same vlan as the data interfaces
how to enter the concept of service route configuration in the above cases.
I know that the management interface is used by the FW PA to go on the internet and retrieve updates,...etc, but sometimes there is a need to use the service route configuration to point into the service in the LAN data
I have some ambiguities to master this concept and the why and how of the thing.
thanks

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Thank you for the post @Toufik

 

Basically by default all communication that Firewall will initiate will be over management interface. In the case you for what ever reason can't use management interface, you can change all services to communicate via data plane interface instead of management interface. You can also do it selectively based on service you want to communicate over data plane interface. Here is KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

In the case of Active/Standby HA you will come across an issue when standby Firewall will not be able to use data plane interfaces (Depending on HA configuration interfaces are either shut or suspended), so service route configuration will not work unless Firewall assumes active role or you change it back to use management interface.

 

Connecting management port to switch with dedicated Vlan is the most optimal way. Having management interface on the same subnet as data plane interface is possible and it will work, however I would avoid this security reasons. The first option you mentioned is of course possible to connect management interface directly to your PC, but outside of the lab environment, this is not scalable option. If you need to change management interface IP address from CLI to range for management Vlan, you can do it from CLI: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

@PavelK 

Thanks for your answer

What I understood is that the control plane and the data plane are "physically" separated, and there is no direct communication between the management interface and the WAN output interface (for example).
If I connect my management interface directly to my pc, I will encounter problems connecting to the internet for external services, so this case to be eliminated since you completely isolate the management plane from any network! and this is what you have confirmed.
but if we connect the mgt interface to a switch port, there we can declare the data port of the firewall corresponding to the switch port, in route service configuration and this port becomes the source for external services.
but if we assume that a vlan is dedicated and that the dns server is in another vlan, do we have to set a policy rule to pass the inter-vlan flow (so inter-zone)?
actually the route service configuration is not only used for external services, but also for internal services like dns?

 

Kind Regards

Toufik

 

  • 4585 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!