Traffic going through Management port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic going through Management port

L1 Bithead

Hello All,

 

We were setting up a PaloAlto Firewall and made all the basic configuration to make a test on the production environment, however when connecting to the production environment, we could see that all the traffic from the PaloAlto firewall was going through the management port and we have already defined the routes with the interface and next hop ip address.

 

For example if we want to reach the public IP from the provider that is directly connected, the traffic goes to the management port, then traffic goes inside the LAN and it gets stuck there forever.

 

We are only working with static routes and we haven't specifically detailed a route for the management port, the only place where we configured this is in the device->configuration->management->default gateway, but for some reason al the traffic is going over this interface?

 

Could somebody give some insight?

 

Regards

1 accepted solution

Accepted Solutions

unless you traceroute or ping with the source argument, it is management traffic and will go out the management interface.

 

traceroute source <source IP address> host 8.8.8.8

 

When I describe user traffic, I mean traffic from one zone (trusted likely) to another (untrusted likely)

View solution in original post

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

From the sounds of it the static routes are pointing at the management port ip address or port. The management port is used just for management, that is why it has its own config under the setup tab. 

 

I would start by checking your routes on your other devices and then on the PAN virtual router.

 

Hope that helps.

L4 Transporter

I assume you mean management traffic - device updates, licensing, etc. and not user traffic.

 

By default all management traffic exits via the management interface.  If you want it to exit another route, this can be configured via Service Route Configuration (Device -> Setup -> Services)

 

If it is what you are intending to do, I recommend against having this traffic exit directy to an untrusted network.  Instead, have it exit to an internal network, then traverse back through the firewall to be scanned, just in case something nefarious is going on.

Hello Otaka,

 

This is a sample of our configuration

 

Network->VirtualRouter1->Interface ethernet1/1(interface layer3)->outside (zone to internet)-> ip address: public ip

Network->VirtualRouter1->Interface ethernet1/2(interface layer3)->inside(zone to lan)->ip address: private ip 192.168.0.x/24

 

For Management purposes we have

Device-> Interfaces -> Management->Ip add 192.168.14.x/24 with a default gateway 192.168.14.1

 

For some reason, even the traffic that has a default route 0.0.0.0/0 ethernet 1/1 to public ip is being routed to 192.168.14.1

 

Thanks for the fast answer.

 

Regards

Hello Joe,

 

Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.

 

Regards

Hi @the_jonathan

 

This is how to firewall is designed. The management traffic from the firewall by default does not use the routes configured in the virtual router. The virtual router and the management port are kind of comoletely separate routing instances. This makes it possible that traffic from the management port can be routed through your network and then also through your paloalto firewall to apply security profiles and other protections (even though this would be also possible with service routes).

If you want to have the traffic to be sent directly to the internet then you could configure service routes (what I wouldn't recommend). This way the firewall connects for updates, or whatever you configure, directly to that interface that you specify.


@the_jonathan wrote:

Hello Joe,

 

Im afraid even user traffic is going through management, we are unable to send any type of traffic through the other interfaces.

 

Regards


Where do you see that usertraffic is routed through the management port?

Hello Joe,

 

As an example, when we do a traceroute from the firewall to the google dns 8.8.8.8 (when the firewall was directly connected to ISP), the traceroute showed us that the packet was sent to the gateway of the Management interface and stayed inside of our LAn until the TTL went to 0, because our LAN sent it back to the firewall and so on.

 

We have read the manuals and tried configuring this very basic simple point to point (firewall to isp) connection and still all the traffic is going through management port.

 

Regards

 

 

Hello @Remo

 

Yes, indeed we have seen that management interface is completely on a different "section" of the firewall and we have configured according to the manuals.

 

I am afraid we do not want to send traffic directly to the internet for the services of paloalto, we want it to "go" into our LAN through the management port as it is configured and then pass again through the firewall as standard traffic from the LAN.

 

Regards

unless you traceroute or ping with the source argument, it is management traffic and will go out the management interface.

 

traceroute source <source IP address> host 8.8.8.8

 

When I describe user traffic, I mean traffic from one zone (trusted likely) to another (untrusted likely)

Hello @JoeAndreini @Remo and @OtakarKlier

 

Thank you very much for all your support, FYI our issue was pretty stupid, but we saw that the interface had no management profile assigned, therefore no traffic was allowed from any zone to inside the firewall.

 

Once we assigned a management profile to the interface (with ping enabled) we were able to succesfuly connect ISP provider to PaloAlto Firewall.

 

Thanks a lot for your support.

 

Regards

  • 1 accepted solution
  • 18016 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!