I am pretty new to PAN Firewalls, and my question is really basic.
I would like to use only two interfaces on my Firewall : ethernet1/7 as my Lan and ethernet1/8 as my Internet Acess.
I would like to avoid using Mgmt Interface port.
I have found a thread which explains how to enable management on any interface through CLI. And it did worked well. I can now admin the box from ethernet1/7.
Now I want to be able to get Internet Access using ethernet1/8 AND I want the firewall to get updates and Internet connectivity through the same interface.
I have left the Management interface gateway in blank.
ethernet1/7 belongs to zone "LAN" and ethernet1/8 belongs to zone "Internet".
ethernet1/8 is directly connected to my ISP router, and I have assigned an IP in the same range that my ISP router.
Both interface belongs Virtual Router "default".
I have manually configured a static route to ethernet1/8 interface : 0.0.0.0/0 next hop IP => IP of my ISP Router
And in the "service route configuration", I have set DNS queries, updates, and some other settings to be reached through ethernet1/8.
Just in case, i have set an allow ALL Firewall rule.
First thing weird, when I connect from the console port and I try to ping my ISP router, Ping is unsucceful. I guess it tries to use management interface gateway to reach it.
Second, I can t get Dynamic updates menus, which clearly shows routing problem.
Any idea of what could be missing ?
Almost a layer 8 problem ...
My newly acquired Motorola router provided by my ISP does not allow static IP. It only allows communication if the device is configured as a DHCP client.
I even try to receive a lease from my laptop, and 15 seconds later, assign the same IP staticly to my laptop, and it does not work.
Hopefully 4.1.2 allows PA layer3 interface to be configured as DHCP client.
However, configuring it as a DHCP Client does not allow me to use a service route override, as the provided dynamic address does not appear in the list of IPs I can use to reach services such as Dynamic updates and DNS.
Should be corrected in next release.
Thank you for your time and advices Roland,
My WAN is also a DHCP client per my ISP (Home Lab).
Why dont you just configure the MGMT interface with an IP on your LAN and then just plug the MGMT interface to your LAN segment?
That would get you around the issue with the MGMT interface not initially having an IP, and the updates and stuff will still work fine..
Also, for any incoming NAT rules, I had to create an address entry with my current IP address on the WAN side, in order for the PA to forward traffic in to the internal servers. Not ideal, but that is the only way to get it working right now until the WAN DHCP Client portion of the software is fully fixed. If my IP changes, I have to go in to the Address Book entry and modify it with the newly acquired IP address.
Works perfectly on my PA-500..
My 2 cents..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!