Unable to HTTPS or SSH into new out of the box PA440

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to HTTPS or SSH into new out of the box PA440

L1 Bithead

Had a new PA440 delivered to a remote location. I am able to ping the device (192.168.1.1) but am not able to HTTPS or SSH into it. Assuming that my IT person at the remote location has the device plugged into the MGT port and in the switch, which since I ping it I am assuming that is the case I am not sure why I can not get in at least with SSH unless something has changed since I set up the last PA.  

It's a flat 255.255.255.0 network that is not on the 192.168.1.1 subnet. I log into a VM located on a server at the location where the PA is plugged into. The server and PA are plugged into the same switch. I added a 2nd virtual nic to the VM and static IP it to 192.168.1.10/24

I can ping the PA but HTTPS says server took to long or timed out, SSH says connection rejected. Before I run out there and try to use a console cable to access am I missing something? Is there some known issue or bug? 

7 REPLIES 7

Community Team Member

Hi @dahoove ,

 

I would double-check that the Palo was connected to the same switch and verify whether or not there is another device on the same network that has a conflicting IP. I would also verify default management access methods like SSH and HTTPS weren't unchecked and committed. It is unlikely there is a software issue causing this. Do you remember which code was running on the PA-440?

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

It is brand new out of the box never been logged into by anyone. Nothing was turned off by us no clue what version it's running since I can not get in. It should have it's default out of the box setting and their is nothing in that building with the 192.168.1.0/24 ip range. It's a small remote site that has 2 switches on a flat network, no other subnets.

I will just drive out there with a console cable and see if I can get in that way. 

Community Team Member

Please let us know what you find. Safe travels!

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hello,

If you have a semi technical person onsite, perhaps configure their nic to the 192.168.1.x/24 network and then hot spot the same laptop? This might give you the access you need prior to driving.

Just a thought.

I'm wondering how could the issue be solved by hot spotting into the same laptop? 

L2 Linker

hey,

 

i would verify that the mgmt interface is configured correctly via console:

 

configure

 

set deviceconfig system type static

 

Set deviceconfig system ip-address 192.168.1.55 netmask 255.255.255.0 default-gateway 192.168.1.254 dns-settings servers primary 

 

set deviceconfig system service disable-https no disable-ssh no disable-icmp no

 

and i would listen to the other advice that was put in here and try a different ip - like 192.168.1.55 somthing odd - and if you need change the dfg ip-add

 

and if that dosent work i would configure a new interface via a console cable with a interface-mgmt-profile, and that way i can be sure that i did everything correct

 

this is the cli commands, change the port number or the ip address as you need. 

 

set network profiles interface-management-profile ssh_https_ping https yes ssh yes icmp yes

set network interface ethernet ethernet1/1 layer3 interface-management-profile ssh_https_ping ip 192.168.1.59

set zone trust network layer3 ethernet1/1

set network virtual-router default interface [ ethernet1/1 ]

set network virtual-router default routing-table ip static-route DFG destination 0.0.0.0/0 interface ethernet1/1 nexthop ip-address 192.168.1.254

Commit

Cyber Elite
Cyber Elite

Hello,

Grab a laptop and give it an IP on the same subnet and plug it directly into the management port. This is the best way to test it to make sure nothing else is blocking it.

 

Regards,

  • 3296 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!