When I configure the mgmt interface on its own network and I use the PA for routing, do I need to setup a static route to access the HTTP interface from a different network? Or does a service route take care of this automatically?
I have an HA active/standby pair, do service routes need to be configured on each device?
If the MGT interface is plugged into a downstream switch that acts as a terminus for your LAN/IAPs, then you can access the MGT portal. If you have your MGT interface isolated on a VLAN, yet still want to access it from the users interface, you would create an interface management profile.
Whatever changes you make to one device, these populate over to the other in an HA pair configuration.
In addition to what @LAYER_8 already wrote. From a dataplane interface you cannot connect to the management interface. Dataplane and management plane have separated routing tables. You can access the cli/webui over a dataplane interface by configuring an interface management profile. But in an active/standby pair this way you will be able to access only the active firewall.
The service routes are used if you want to send some management traffic out of another interface than the management interface (for example that the firewall connect to the update servers directly from the internet facing interface).
In an active/standby high availability pair not everything is synced. All the configurations that are not synced you can find here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchroniza...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!