I want to apologize in advance. I just haven't been able to find any information on this topic. I have our first brand new PAN firewall and I'm configuring it for use in a remote datacenter where we rent space and we will connect via site-to-site VPN. I got into the FW via the management port and I like the interface. I'm setting up the management interface and that's where the confusion starts. The management interface asks for a default gateway since it needs to talk to Palo Alto for updates, etc. However, I don't have a device in front of the firewall. I thought possibly I could create a sub-interface and point the default gateway at that IP but that would require setting the sub-interface to a security zone which I've read isn't supported for the management interface. In the examples I've seen there is always a device in front of the FW. Please let me know my options.
You would typically have your management interface IP within a subnet that your firewall controls. This means for example an interface on the firewall would be configured with a subnet/dhcp ect, that interface would connect to a switch which also directly connects with the management port.
You could also specify a different interface to use as management interface that has a DFG set. You can change the management interface via Devices>Setup>Services>Service Route Configuration>Customize.
It's not advisable to make your management interface public facing as it can open your network to wealth of security concerns. If this is the only option or a requirement for your setup you can use the DFG provided by your ISP. I would still recommend using a private IP and NAT via the firewall so you can apply security policies and inspection if you need the Management port publicly accessible.
Thanks for the reply but I still don't fully understand. My intention is to create a dedicated management network subnet at this branch office which will be 10.30.99.0/24 for the PAN FW, switches, etc. Since the PAN FW will be doing the routing the L3 interface (also default gateway) would be on the FW itself. So, can I create the L3 interface (10.3.99.1) on the FW and point the management interface default gateway at that interface? I get that I could just leave the default gateway off, configure an IP and plug it into a layer 2 switch on a dedicated VLAN but I would rather it have internet access as I'd like to leave the PA services running on the management port. I don't need to open it up to the internet and we will have a site-to-site VPN to this location so it will have a private IP address. Thanks
Sounds like a standard branch site setup.
Create a Layer3 interface on the firewall and place it in a trusted security zone. Then either create a untagged Layer2 interface for this VLAN and connect the firewalls MGMT port to it via Ethernet cable. If you have additional switches, it makes sense to preserve your firewall interfaces and instead create a Layer2 trunk interface with sub-interfaces (including your new management VLAN) and connect that to the switch. You would then connect the MGMT interface to a switchport on the switch as an access port.
You would then need to configure security policy to allow your management security zone to communicate with your outside untrust zone. The Layer3 interface in the untrust zone if it were connected to the public internet would be responsible for NAT'ing the management traffic which was trying to reach PAN update servers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!