Remote access to PA box when internet connection is broken (PANOS update failed) - how to?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Remote access to PA box when internet connection is broken (PANOS update failed) - how to?

L4 Transporter

Hello

 

Since month I have remote branch and PA200 there. Today I decided to upgrade from 7.0.9 to 7.0.10.  According to change log 7.0.9 should fix upgrade problem, but something went wrong and I havent acccess to my device.

Today I will solve my problem using car and long trip but for the future I'm looking for cheap and resonalble solution.

 

Juniper SSG and other has console port that could be connectet to analog modem and using ppp conection from laptop You can connect to Juniper box -veryfied - it's working.

PA BOXes doesnt support this kind of conenction unfortunetelly (maybe I'm wrong?) so what is best option to connect to PA BOX.

I assume that I can use internet link from ISP and I have a techincian there - this case is simple - laptop and usb_to_serial adaper.

In case when technician is unavailable I have ide with raspbery PI and USB LTE modem. But in this case I see problem how to conenct when USB modem has dynamic IP and remote connection is not allowed. VPN from Raspberyy to PA in headquoter - I think is too complicated.

 

Has anyone other ideas?

 

Regards

SLawek

5 REPLIES 5

L6 Presenter

You can create a rule in security policy which would make publically available your "Internet" side of your firewall from a specific IP source.  This can be left always on or only enabled when doing something which might isolate the site.

 

That's free.

 

Or you can look into a device made by Lantronix.  It's like a terminal concentrator, but also has a built-in Cellular (3g/4g) modem.  So if the site becomes isolated you can via a cellular connection remote into the site.

Cyber Elite
Cyber Elite

I'm not sure why you couldn't do the exact same thing on the Palo Alto? If you were running a analog modem previously into the console port then you do the same thing with the Palo Alto and you will have out of band access to the PA's CLI. Alternatively I imagine that if you were okay with dialup like speeds you could plug into the management port and give yourself GUI access the same way. 

L6 Presenter

Just to add some more things as for dynamic IP you can setup a dynamic DNS agent  inside you network that constantly will be updating a DNS so you can always use a DNS name instead. I have this setup. changeip.com a good one. 

Hello

 

As a today example, my device was completly without internet connection because device can't autocommit because of av database failure (sh interfaces all show NO interfaces available)

 

I will check Lantronix device - thx.

L4 Transporter

In Juniper world the name of port is AUX

from http://www.juniper.net/techpubs/hardware/netscreen-systems/netscreen-systems60/HW_SSG5_600.pdf

"The auxiliary (AUX) port is an RJ-45 serial port

wired as a DTE that you can connect to a modem to
allow remote administration. We do not
recommend using this port for regular remote
administration. The AUX port
is typically assigned
to be the backup serial interface. The baud rate is
adjustable from 9600 bps to 115200 bps and
requires hardware flow control"
 
 
I tryed to connect the same modem that I used with Juniper to PA200 but it doesnt worked 😞
 
  • 2597 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!