Switch port configuration for management interface on HA pair

cancel
Showing results for 
Search instead for 
Did you mean: 

Switch port configuration for management interface on HA pair

L0 Member

Are there any recomendations or requirements to configure a switch port for management interface for a PA firewall?

Should it be an access port or could it be a 802.1q port (trunk mode)?

Are there any recomendations to enable/disable/specify lldp/cdp/vtp/igmp/spf on switch port for management interface?

If the management interface will be used for backup of HA1 interface/traffic is there any addicional recomendations?

Any problems if ip address of management interface resides on the same subnet of inside/trusted zone/interface on the same firewall/ha pair and default gateway of management interface point to the ip address of inside interface?

I know that it could be an access port or directly connected to a management pc using a regular cat5e/cat6 patchcord.

Thanks,PA_mgmt_interface.jpg

2 ACCEPTED SOLUTIONS

Accepted Solutions

L4 Transporter

I am not sure about later PaloAlto models, but on mine at least, the dedicated management interface does not support VLAN tagging. You must connect it to an access switch port. Generally, you want the management interface on a separate subnet, accessible only from specific devices. Though I don't believe it will cause any specific errors if it is on the same subnet as the internal Trust zone.

 

One thing to make sure of though, is that the HA data and management ports are on a completely separate network, that there are no explicit routes to over the data or management interfaces to the same IP ranges.

View solution in original post

Cyber Elite
Cyber Elite

@SilvioReis,

The management interface should be an access port, the interface itself doesn't support tagging. Your current design would work perfectly fine, the management IP can be on the same interface as the trust zone without any issues. 

View solution in original post

3 REPLIES 3

L4 Transporter

I am not sure about later PaloAlto models, but on mine at least, the dedicated management interface does not support VLAN tagging. You must connect it to an access switch port. Generally, you want the management interface on a separate subnet, accessible only from specific devices. Though I don't believe it will cause any specific errors if it is on the same subnet as the internal Trust zone.

 

One thing to make sure of though, is that the HA data and management ports are on a completely separate network, that there are no explicit routes to over the data or management interfaces to the same IP ranges.

Cyber Elite
Cyber Elite

@SilvioReis,

The management interface should be an access port, the interface itself doesn't support tagging. Your current design would work perfectly fine, the management IP can be on the same interface as the trust zone without any issues. 

Cyber Elite
Cyber Elite

Hello,

I protect my management interface with the Palo Alto in a 'management network'. I create a vlan , lets call it mgmt, and anchor it on the Palo Alto, meaning the vlan IP is on the Palo Alto so i can create security policies to protect it as to who can connect in the first place, .e.g AD group fw_admins are the only ones that can even get into the vlan.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!