08-28-2018 07:48 AM
Hello All,
We were setting up a PaloAlto Firewall and made all the basic configuration to make a test on the production environment, however when connecting to the production environment, we could see that all the traffic from the PaloAlto firewall was going through the management port and we have already defined the routes with the interface and next hop ip address.
For example if we want to reach the public IP from the provider that is directly connected, the traffic goes to the management port, then traffic goes inside the LAN and it gets stuck there forever.
We are only working with static routes and we haven't specifically detailed a route for the management port, the only place where we configured this is in the device->configuration->management->default gateway, but for some reason al the traffic is going over this interface?
Could somebody give some insight?
Regards
08-28-2018 11:35 AM
unless you traceroute or ping with the source argument, it is management traffic and will go out the management interface.
traceroute source <source IP address> host 8.8.8.8
When I describe user traffic, I mean traffic from one zone (trusted likely) to another (untrusted likely)
08-28-2018 09:43 AM
Hello,
From the sounds of it the static routes are pointing at the management port ip address or port. The management port is used just for management, that is why it has its own config under the setup tab.
I would start by checking your routes on your other devices and then on the PAN virtual router.
Hope that helps.
08-28-2018 10:31 AM
I assume you mean management traffic - device updates, licensing, etc. and not user traffic.
By default all management traffic exits via the management interface. If you want it to exit another route, this can be configured via Service Route Configuration (Device -> Setup -> Services)
If it is what you are intending to do, I recommend against having this traffic exit directy to an untrusted network. Instead, have it exit to an internal network, then traverse back through the firewall to be scanned, just in case something nefarious is going on.
08-28-2018 10:53 AM
Hello Otaka,
This is a sample of our configuration
Network->VirtualRouter1->Interface ethernet1/1(interface layer3)->outside (zone to internet)-> ip address: public ip
Network->VirtualRouter1->Interface ethernet1/2(interface layer3)->inside(zone to lan)->ip address: private ip 192.168.0.x/24
For Management purposes we have
Device-> Interfaces -> Management->Ip add 192.168.14.x/24 with a default gateway 192.168.14.1
For some reason, even the traffic that has a default route 0.0.0.0/0 ethernet 1/1 to public ip is being routed to 192.168.14.1
Thanks for the fast answer.
Regards
08-28-2018 11:21 AM
Hello Joe,
Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.
Regards
08-28-2018 11:23 AM
This is how to firewall is designed. The management traffic from the firewall by default does not use the routes configured in the virtual router. The virtual router and the management port are kind of comoletely separate routing instances. This makes it possible that traffic from the management port can be routed through your network and then also through your paloalto firewall to apply security profiles and other protections (even though this would be also possible with service routes).
If you want to have the traffic to be sent directly to the internet then you could configure service routes (what I wouldn't recommend). This way the firewall connects for updates, or whatever you configure, directly to that interface that you specify.
08-28-2018 11:25 AM
@the_jonathan wrote:Hello Joe,
Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.
Regards
Where do you see that usertraffic is routed through the management port?
08-28-2018 11:30 AM
Hello Joe,
As an example, when we do a traceroute from the firewall to the google dns 8.8.8.8 (when the firewall was directly connected to ISP), the traceroute showed us that the packet was sent to the gateway of the Management interface and stayed inside of our LAn until the TTL went to 0, because our LAN sent it back to the firewall and so on.
We have read the manuals and tried configuring this very basic simple point to point (firewall to isp) connection and still all the traffic is going through management port.
Regards
08-28-2018 11:34 AM
Hello @Remo
Yes, indeed we have seen that management interface is completely on a different "section" of the firewall and we have configured according to the manuals.
I am afraid we do not want to send traffic directly to the internet for the services of paloalto, we want it to "go" into our LAN through the management port as it is configured and then pass again through the firewall as standard traffic from the LAN.
Regards
08-28-2018 11:35 AM
unless you traceroute or ping with the source argument, it is management traffic and will go out the management interface.
traceroute source <source IP address> host 8.8.8.8
When I describe user traffic, I mean traffic from one zone (trusted likely) to another (untrusted likely)
08-28-2018 02:06 PM
Hello @JoeAndreini @Remo and @OtakarKlier
Thank you very much for all your support, FYI our issue was pretty stupid, but we saw that the interface had no management profile assigned, therefore no traffic was allowed from any zone to inside the firewall.
Once we assigned a management profile to the interface (with ping enabled) we were able to succesfuly connect ISP provider to PaloAlto Firewall.
Thanks a lot for your support.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
