Web Interface access from Internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Web Interface access from Internet

L3 Networker

I have PA-200 connected to Internet , but mgmt interface disconnected right now. Do I have to piggyback mgmt to one of remaining Ethernet interfaces in order to get access to web interface from Internet ? Plus port forward rule ?Let me know

17 REPLIES 17

L5 Sessionator

Yes, you can assign management profile to the outside interface and access it to manage device.

You can use following document :

How to Create a Management Profile using the CLI

In this example, we assume ethernet 1/3 is your outside network. Hope this helps. Thank you.

Do you know how to show/display current mgmt interface profiles ?

pa> show interface <interface>

Interface management profile: allow_all

  ping: yes  telnet: yes  ssh: yes  http: yes  https: yes 

  snmp: yes  response-pages: no  userid-service: no

So here it is , replaced my public with x's. I have ping/https/ssh I can ping and ssh but no https to web interface .

Name: ethernet1/1, ID: 16

Operation mode: layer3

Virtual router default

Interface MTU 1500

Interface IP address: x.x.x.x/24

Interface management profile: untrust-mgmt

  ping: yes  telnet: no  ssh: yes  http: no  https: yes 

  snmp: no  response-pages: no  userid-service: no

Service configured: SSL-VPN

Zone: WAN-zone, virtual system: vsys1

Hi Niuk,

Do you have deny any any policy by any chance? Also can you check on Traffic logs and check for your source address from internet and destination on 443 and see if it is denied? Thank you.

I think there is default deny interzone. But how to find drop logs using my ssh access only ? I don't have web access temporarily Smiley Wink

show log traffic action equal deny dport equal 80(or 443) to equal X.X.X.X

Assuming your public ip is 1.1.1.1 and firewall's outside interface is 5.5.5.5, try to access https://5.5.5.5

Then on the CLI, run

show session all filter source 1.1.1.1 destination 5.5.5.5 destination-port 443

See if you see anything there, if possible paste the output of "show session id <>" for any session that matches above show session command. Thank you.

I dont see any 443 neither denied  nor allowed, see below. Also output of 'show counter global name flow_host_service_deny'

admin@PA-200-1> show log traffic action equal deny dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show log traffic action equal allow dport equal 443

Time                App             From            Src Port          Source

Rule                Action          To              Dst Port          Destination

                    Src User        Dst User

===============================================================================

admin@PA-200-1> show counter global name flow_host_service_deny

Name:           flow_host_service_deny

Value:          80

Severity:       Drop

Category:       flow

Aspect:         mgmt

Desciption:     Device management session denied

I looked port 443 (nothing) , and 22 (where I am actually connected)

admin@PA-200-1> show session all filter destination-port 443

No Active Sessions

admin@PA-200-1> show session all filter destination-port 22

--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19243        ssh            ACTIVE  FLOW       y.y.y.y[39267]/WAN-zone/6  (y.y.y.y[39267])

vsys1                                          x.x.x.x[22]/WAN-zone  (x.x.x.x[22])

......

write a temporary rule, and try to access.it will be better

configure

set rulebase security rules TEST from WAN to WAN source (your ip address which you try to access now) destination X.X.X.X(fw address) action allow

move rulebase security rules TEST top

commit

Hi Niuk,

Do you have a NAT for the outside interface ip? Can you check your NAT policy to see if you are translating anything on 443?

I moved below to TOP and committed

set rulebase security rules TEST from WAN-zone to WAN-zone source any destination x.x.x.x action allow service service-https application any

rulebase {

            security {

              rules {

                TEST {

                  from WAN-zone;

                  to WAN-zone;

                  source any;

                  destination x.x.x.x;

                  action allow;

                  service service-https;

                  application any;

but no difference , maybe I should do service application-default , and application ssl

application ssl;

service application-default;

no NAT

  • 5591 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!