12-01-2014 10:49 AM
I have PA-200 connected to Internet , but mgmt interface disconnected right now. Do I have to piggyback mgmt to one of remaining Ethernet interfaces in order to get access to web interface from Internet ? Plus port forward rule ?Let me know
12-01-2014 10:55 AM
Yes, you can assign management profile to the outside interface and access it to manage device.
You can use following document :
How to Create a Management Profile using the CLI
In this example, we assume ethernet 1/3 is your outside network. Hope this helps. Thank you.
12-01-2014 11:01 AM
Do you know how to show/display current mgmt interface profiles ?
12-01-2014 11:07 AM
pa> show interface <interface>
Interface management profile: allow_all
ping: yes telnet: yes ssh: yes http: yes https: yes
snmp: yes response-pages: no userid-service: no
12-01-2014 11:16 AM
So here it is , replaced my public with x's. I have ping/https/ssh I can ping and ssh but no https to web interface .
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router default
Interface MTU 1500
Interface IP address: x.x.x.x/24
Interface management profile: untrust-mgmt
ping: yes telnet: no ssh: yes http: no https: yes
snmp: no response-pages: no userid-service: no
Service configured: SSL-VPN
Zone: WAN-zone, virtual system: vsys1
12-01-2014 12:04 PM
Hi Niuk,
Do you have deny any any policy by any chance? Also can you check on Traffic logs and check for your source address from internet and destination on 443 and see if it is denied? Thank you.
12-01-2014 12:10 PM
I think there is default deny interzone. But how to find drop logs using my ssh access only ? I don't have web access temporarily 
12-01-2014 12:15 PM
show log traffic action equal deny dport equal 80(or 443) to equal X.X.X.X
12-01-2014 12:27 PM
Assuming your public ip is 1.1.1.1 and firewall's outside interface is 5.5.5.5, try to access https://5.5.5.5
Then on the CLI, run
show session all filter source 1.1.1.1 destination 5.5.5.5 destination-port 443
See if you see anything there, if possible paste the output of "show session id <>" for any session that matches above show session command. Thank you.
12-01-2014 12:28 PM
I dont see any 443 neither denied nor allowed, see below. Also output of 'show counter global name flow_host_service_deny'
admin@PA-200-1> show log traffic action equal deny dport equal 443
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User
===============================================================================
admin@PA-200-1> show log traffic action equal allow dport equal 443
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User
===============================================================================
admin@PA-200-1> show counter global name flow_host_service_deny
Name: flow_host_service_deny
Value: 80
Severity: Drop
Category: flow
Aspect: mgmt
Desciption: Device management session denied
12-01-2014 12:31 PM
I looked port 443 (nothing) , and 22 (where I am actually connected)
admin@PA-200-1> show session all filter destination-port 443
No Active Sessions
admin@PA-200-1> show session all filter destination-port 22
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
19243 ssh ACTIVE FLOW y.y.y.y[39267]/WAN-zone/6 (y.y.y.y[39267])
vsys1 x.x.x.x[22]/WAN-zone (x.x.x.x[22])
......
12-01-2014 12:36 PM
write a temporary rule, and try to access.it will be better
configure
set rulebase security rules TEST from WAN to WAN source (your ip address which you try to access now) destination X.X.X.X(fw address) action allow
move rulebase security rules TEST top
commit
12-01-2014 12:44 PM
Hi Niuk,
Do you have a NAT for the outside interface ip? Can you check your NAT policy to see if you are translating anything on 443?
12-01-2014 12:50 PM
I moved below to TOP and committed
set rulebase security rules TEST from WAN-zone to WAN-zone source any destination x.x.x.x action allow service service-https application any
rulebase {
security {
rules {
TEST {
from WAN-zone;
to WAN-zone;
source any;
destination x.x.x.x;
action allow;
service service-https;
application any;
but no difference , maybe I should do service application-default , and application ssl
application ssl;
service application-default;
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
