PAN 500 - 4.1.2 - Bypass Mgmt Interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN 500 - 4.1.2 - Bypass Mgmt Interface

Not applicable

Hi,

I am pretty new to PAN Firewalls, and my question is really basic.

I would like to use only two interfaces on my Firewall : ethernet1/7 as my Lan and ethernet1/8 as my Internet Acess.

I would like to avoid using Mgmt Interface port.

I have found a thread which explains how to enable management on any interface through CLI. And it did worked well. I can now admin the box from ethernet1/7.

Now I want to be able to get Internet Access using ethernet1/8 AND I want the firewall to get updates and Internet connectivity through the same interface.

I have left the Management interface gateway in blank.

ethernet1/7 belongs to zone "LAN" and ethernet1/8 belongs to zone "Internet".

ethernet1/8 is directly connected to my ISP router, and I have assigned an IP in the same range that my ISP router.

Both interface belongs Virtual Router "default".

I have manually configured a static route to ethernet1/8 interface : 0.0.0.0/0 next hop IP => IP of my ISP Router

And in the "service route configuration", I have set DNS queries, updates, and some other settings to be reached through ethernet1/8.

Just in case, i have set an allow ALL Firewall rule.

First thing weird, when I connect from the console port and I try to ping my ISP router, Ping is unsucceful. I guess it tries to use management interface gateway to reach it.

Second, I can t get Dynamic updates menus, which clearly shows routing problem.

Any idea of what could be missing ?

Beforehand, thanks.

jdessoliers

10 REPLIES 10

L4 Transporter

Hi there,

"...First thing weird, when I connect from the console port and I try to ping my ISP router, Ping is unsucceful".

Did you add a cleanup rule at the end of your rulebase with action drop and log ? If yes what do you see in your traffic log regarding the ping ?

Hi Roland,

Thanks for the reply.

The only ACL I actually have allows any zone, any IP, any service.

That 's why I don t think a cleanup rule would help me.

Adding a final cleanup rule will proof your feeling, otherwise it's hard to tell where the problem lies. Remember if you do not add a cleanup rule PA will silently drop any packets if it does not match a security rule.

BTW how does your ping commad from the CLI look like exactly ? You can specify the source address. If you cannot ping your ISP's router address there might be an ACL configured on the ISP router. Can you ping 8.8.8.8 for example ?

Retired Member
Not applicable

Be sure to configure an IP for management interface, even if you are not using it. Service routes for your dynamic updates, etc, won't send traffic if there is nothing configured for mgmt interface IP. I observed this behavior in my lab and found that this should work.

-Richard

Hi Roland,

Almost a layer 8 problem ...

My newly acquired Motorola router provided by my ISP does not allow static IP. It only allows communication if the device is configured as a DHCP client.

I even try to receive a lease from my laptop, and 15 seconds later, assign the same IP staticly to my laptop, and it does not work.

Hopefully 4.1.2 allows PA layer3 interface to be configured as DHCP client.

However, configuring it as a DHCP Client does not allow me to use a service route override, as the provided dynamic address does not appear in the list of IPs I can use to reach services such as Dynamic updates and DNS.

Should be corrected in next release.

Thank you for your time and advices Roland,

Regards,

jdessoliers

Hi there,

I believe DHCP client support is there since 4.x, didn't know the limitation regarding service routes and dhcp configured l3 interfacse... not nice.

It might be easier to use the mgmnt. interface for this purpose then. Is there any particular reason not to ?

rgds Roland

My WAN is also a DHCP client per my ISP (Home Lab).

Why dont you just configure the MGMT interface with an IP on your LAN and then just plug the MGMT interface to your LAN segment?

That would get you around the issue with the MGMT interface not initially having an IP, and the updates and stuff will still work fine..

Also, for any incoming NAT rules, I had to create an address entry with my current IP address on the WAN side, in order for the PA to forward traffic in to the internal servers.  Not ideal, but that is the only way to get it working right now until the WAN DHCP Client portion of the software is fully fixed.  If my IP changes, I have to go in to the Address Book entry and modify it with the newly acquired IP address.

Works perfectly on my PA-500..

My 2 cents..

Mark

Hi Mark,

in the NAT Policy you can define an interface for the destination of the "Original Packet" . For my understanding this should solve your problem regarding the dhcp ip address and NAT. This way it will NAT whatever IP address the selected interface is configured to.

Roland

Well, Mark. I know that using the Mgmt Interface would make the things lot easier.

But the reason I posted this thread is that I purposely don t want to use Mgmt Interface.

  • 4244 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!