01-21-2025 12:16 PM - edited 01-21-2025 12:30 PM
I have two new PA-455-5G firewalls running 11.2.3. These have 8 ethernet interfaces, two management ports, and two console ports. I have configured the management ports as 10.0.0.1 & .2 respectively on FW1& 2. These will be in A/P HA, so I want to be able to manage the firewalls individually via these management ports. I do NOT want to use one of the 8 ethernet ports.
I have finished the initial config, and it looks like this:
Ethernet1/1 Primary internet
Ethernet1/2 Secondary internet
Ethernet1/3 (and sub-interfaces) LAN/VLANs
Ethernet 1/7 HA2
Ethernet 1/8 HA1 backup
Management Ports (a.k.a MPs) HA1 (10.0.0.1/29 primary and 10.0.0.2/29 secondary)
I have a single default router configured, and this FW pair is the primary router for the LAN. I have security policies in place that allow certain VLANs to communicate with the management ports and that rule is being hit as expected when trying to access or ping the MPs, but I cannot get to them at all from the LAN, nor can they get out to the internet (so I can use them as the primary service route.).
I have tried adding them to the default router, but there does not seem to be a way to do that. I also tried adding a new VLAN for them, but there is also no way to assign the MPs to a VLAN.
So - How the heck do you get these ports to be accessible from the LAN and allow them to get out to the internet? I cannot find anything in the admin guide that shows this.
01-24-2025 07:20 AM
Thanks, Kiwi, but that isn't what I was looking for. I solved the problem by adding a gateway address in the same subnet as the management ports to the default VR and changing their gateway to point there. Now, I can route between the LAN and the management ports without issue.
01-22-2025 02:56 AM
Hi @R.Rehart ,
The mgmt ports are entirely out-of-bound and cannot be added to the VR.
By using the MGT port, you separate the management functions of the firewall from the data processing functions, safeguarding access to the firewall and enhancing performance:
Source:
Consider the management interface as a standalone host on your network. It connects via a cable from the management port to an access port on the switch, within the management VLAN designated for your network. Like any other network you can route it to a FW-dataport interface to go through the FW and to the internet for which it requires an allow policy and NAT configuration.
Hope this helps,
-Kim.
01-24-2025 07:20 AM
Thanks, Kiwi, but that isn't what I was looking for. I solved the problem by adding a gateway address in the same subnet as the management ports to the default VR and changing their gateway to point there. Now, I can route between the LAN and the management ports without issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
