09-22-2016 07:49 AM
Hello
Since month I have remote branch and PA200 there. Today I decided to upgrade from 7.0.9 to 7.0.10. According to change log 7.0.9 should fix upgrade problem, but something went wrong and I havent acccess to my device.
Today I will solve my problem using car and long trip but for the future I'm looking for cheap and resonalble solution.
Juniper SSG and other has console port that could be connectet to analog modem and using ppp conection from laptop You can connect to Juniper box -veryfied - it's working.
PA BOXes doesnt support this kind of conenction unfortunetelly (maybe I'm wrong?) so what is best option to connect to PA BOX.
I assume that I can use internet link from ISP and I have a techincian there - this case is simple - laptop and usb_to_serial adaper.
In case when technician is unavailable I have ide with raspbery PI and USB LTE modem. But in this case I see problem how to conenct when USB modem has dynamic IP and remote connection is not allowed. VPN from Raspberyy to PA in headquoter - I think is too complicated.
Has anyone other ideas?
Regards
SLawek
09-22-2016 10:14 AM
You can create a rule in security policy which would make publically available your "Internet" side of your firewall from a specific IP source. This can be left always on or only enabled when doing something which might isolate the site.
That's free.
Or you can look into a device made by Lantronix. It's like a terminal concentrator, but also has a built-in Cellular (3g/4g) modem. So if the site becomes isolated you can via a cellular connection remote into the site.
09-22-2016 10:48 AM
I'm not sure why you couldn't do the exact same thing on the Palo Alto? If you were running a analog modem previously into the console port then you do the same thing with the Palo Alto and you will have out of band access to the PA's CLI. Alternatively I imagine that if you were okay with dialup like speeds you could plug into the management port and give yourself GUI access the same way.
09-22-2016 11:02 AM
Just to add some more things as for dynamic IP you can setup a dynamic DNS agent inside you network that constantly will be updating a DNS so you can always use a DNS name instead. I have this setup. changeip.com a good one.
09-22-2016 12:10 PM
Hello
As a today example, my device was completly without internet connection because device can't autocommit because of av database failure (sh interfaces all show NO interfaces available)
I will check Lantronix device - thx.
09-22-2016 12:22 PM
In Juniper world the name of port is AUX
from http://www.juniper.net/techpubs/hardware/netscreen-systems/netscreen-systems60/HW_SSG5_600.pdf
"The auxiliary (AUX) port is an RJ-45 serial port
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
