Web Interface access from Internet
cancel
Showing results for 
Search instead for 
Did you mean: 

Web Interface access from Internet

L3 Networker

I have PA-200 connected to Internet , but mgmt interface disconnected right now. Do I have to piggyback mgmt to one of remaining Ethernet interfaces in order to get access to web interface from Internet ? Plus port forward rule ?Let me know

17 REPLIES 17

L5 Sessionator

Yes, you can assign management profile to the outside interface and access it to manage device.

You can use following document :

How to Create a Management Profile using the CLI

In this example, we assume ethernet 1/3 is your outside network. Hope this helps. Thank you.

Do you know how to show/display current mgmt interface profiles ?

pa> show interface <interface>

Interface management profile: allow_all

  ping: yes  telnet: yes  ssh: yes  http: yes  https: yes 

  snmp: yes  response-pages: no  userid-service: no

So here it is , replaced my public with x's. I have ping/https/ssh I can ping and ssh but no https to web interface .

Name: ethernet1/1, ID: 16

Operation mode: layer3

Virtual router default

Interface MTU 1500

Interface IP address: x.x.x.x/24

Interface management profile: untrust-mgmt

  ping: yes  telnet: no  ssh: yes  http: no  https: yes 

  snmp: no  response-pages: no  userid-service: no

Service configured: SSL-VPN

Zone: WAN-zone, virtual system: vsys1

Hi Niuk,

Do you have deny any any policy by any chance? Also can you check on Traffic logs and check for your source address from internet and destination on 443 and see if it is denied? Thank you.

I think there is default deny interzone. But how to find drop logs using my ssh access only ? I don't have web access temporarily :smileywink:

show log traffic action equal deny dport equal 80(or 443) to equal X.X.X.X

Assuming your public ip is 1.1.1.1 and firewall's outside interface is 5.5.5.5, try to access https://5.5.5.5

Then on the CLI, run

show session all filter source 1.1.1.1 destination 5.5.5.5 destination-port 443

See if you see anything there, if possible paste the output of "show session id <>" for any session that matches above show session command. Thank you.

I dont see any 443 neither denied  nor allowed, see below. Also output of 'show counter global name flow_host_service_deny'

admin@PA-200-1> show log traffic action equal deny dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show log traffic action equal allow dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show counter global name flow_host_service_deny

Name:           flow_host_service_deny

Value:          80

Severity:       Drop

Category:       flow

Aspect:         mgmt

Desciption:     Device management session denied

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!