Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-12-2023 11:52 AM
Had a new PA440 delivered to a remote location. I am able to ping the device (192.168.1.1) but am not able to HTTPS or SSH into it. Assuming that my IT person at the remote location has the device plugged into the MGT port and in the switch, which since I ping it I am assuming that is the case I am not sure why I can not get in at least with SSH unless something has changed since I set up the last PA.
It's a flat 255.255.255.0 network that is not on the 192.168.1.1 subnet. I log into a VM located on a server at the location where the PA is plugged into. The server and PA are plugged into the same switch. I added a 2nd virtual nic to the VM and static IP it to 192.168.1.10/24
I can ping the PA but HTTPS says server took to long or timed out, SSH says connection rejected. Before I run out there and try to use a console cable to access am I missing something? Is there some known issue or bug?
10-15-2023 08:43 PM
Hi @dahoove ,
I would double-check that the Palo was connected to the same switch and verify whether or not there is another device on the same network that has a conflicting IP. I would also verify default management access methods like SSH and HTTPS weren't unchecked and committed. It is unlikely there is a software issue causing this. Do you remember which code was running on the PA-440?
10-16-2023 05:01 AM
It is brand new out of the box never been logged into by anyone. Nothing was turned off by us no clue what version it's running since I can not get in. It should have it's default out of the box setting and their is nothing in that building with the 192.168.1.0/24 ip range. It's a small remote site that has 2 switches on a flat network, no other subnets.
I will just drive out there with a console cable and see if I can get in that way.
10-16-2023 10:32 AM
Please let us know what you find. Safe travels!
10-16-2023 02:11 PM
Hello,
If you have a semi technical person onsite, perhaps configure their nic to the 192.168.1.x/24 network and then hot spot the same laptop? This might give you the access you need prior to driving.
Just a thought.
11-28-2023 06:12 PM
I'm wondering how could the issue be solved by hot spotting into the same laptop?
11-29-2023 06:40 AM
hey,
i would verify that the mgmt interface is configured correctly via console:
configure
set deviceconfig system type static
Set deviceconfig system ip-address 192.168.1.55 netmask 255.255.255.0 default-gateway 192.168.1.254 dns-settings servers primary
set deviceconfig system service disable-https no disable-ssh no disable-icmp no
and i would listen to the other advice that was put in here and try a different ip - like 192.168.1.55 somthing odd - and if you need change the dfg ip-add
and if that dosent work i would configure a new interface via a console cable with a interface-mgmt-profile, and that way i can be sure that i did everything correct
this is the cli commands, change the port number or the ip address as you need.
set network profiles interface-management-profile ssh_https_ping https yes ssh yes icmp yes
set network interface ethernet ethernet1/1 layer3 interface-management-profile ssh_https_ping ip 192.168.1.59
set zone trust network layer3 ethernet1/1
set network virtual-router default interface [ ethernet1/1 ]
set network virtual-router default routing-table ip static-route DFG destination 0.0.0.0/0 interface ethernet1/1 nexthop ip-address 192.168.1.254
Commit
12-01-2023 10:49 AM
Hello,
Grab a laptop and give it an IP on the same subnet and plug it directly into the management port. This is the best way to test it to make sure nothing else is blocking it.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
