Routing to/from the Management Interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Routing to/from the Management Interface

L0 Member

I have two new PA-455-5G firewalls running 11.2.3. These have 8 ethernet interfaces, two management ports, and two console ports. I have configured the management ports as 10.0.0.1 & .2 respectively on FW1& 2. These will be in A/P HA, so I want to be able to manage the firewalls individually via these management ports. I do NOT want to use one of the 8 ethernet ports.

I have finished the initial config, and it looks like this:

Ethernet1/1 Primary internet

Ethernet1/2 Secondary internet

Ethernet1/3 (and sub-interfaces) LAN/VLANs

Ethernet 1/7 HA2

Ethernet 1/8 HA1 backup

Management Ports (a.k.a MPs) HA1 (10.0.0.1/29 primary and 10.0.0.2/29 secondary)

I have a single default router configured, and this FW pair is the primary router for the LAN. I have security policies in place that allow certain VLANs to communicate with the management ports and that rule is being hit as expected when trying to access or ping the MPs, but I cannot get to them at all from the LAN, nor can they get out to the internet (so I can use them as the primary service route.).

I have tried adding them to the default router, but there does not seem to be a way to do that. I also tried adding a new VLAN for them, but there is also no way to assign the MPs to a VLAN.

So - How the heck do you get these ports to be accessible from the LAN and allow them to get out to the internet? I cannot find anything in the admin guide that shows this.

 

1 accepted solution

Accepted Solutions

Thanks, Kiwi, but that isn't what I was looking for. I solved the problem by adding a gateway address in the same subnet as the management ports to the default VR and changing their gateway to point there. Now, I can route between the LAN and the management ports without issue.

View solution in original post

2 REPLIES 2

Community Team Member

Hi @R.Rehart ,

 

The mgmt ports are entirely out-of-bound and cannot be added to the VR. 

 

By using the MGT port, you separate the management functions of the firewall from the data processing functions, safeguarding access to the firewall and enhancing performance: 

Source:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/getting-started/integrate-the-firewall-in...

 

Consider the management interface as a standalone host on your network. It connects via a cable from the management port to an access port on the switch, within the management VLAN designated for your network. Like any other network you can route it to a FW-dataport interface to go through the FW and to the internet for which it requires an allow policy and NAT configuration.

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks, Kiwi, but that isn't what I was looking for. I solved the problem by adding a gateway address in the same subnet as the management ports to the default VR and changing their gateway to point there. Now, I can route between the LAN and the management ports without issue.

  • 1 accepted solution
  • 485 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!