Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-06-2024 07:25 AM
Greetings,
i have a GP portal and Gateway configured for radius auth in vr2 with just connected and a default route. vr1 has the routes to the radius server. my question is, can i send the auth requests via the management port?
thanks
08-06-2024 12:39 PM
Hi @tcsmithh,
By default Palo Alto firewall will always use the dedicated management interface for services like authentication servers, DNS, NTP etc.
When you configure your RADIUS server, firewall will try to reach it over the dedicated management interface. Note that this traffic does not pass over the firewall policy, nor perform route look with any VR (virtual-router), it just uses the management default route.
If FW management network does not have access to RADIUS server you can tell the firewall to use one of the dateplane interface, by changing the relevant service route - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-...
With service routes you basically tell the firewall which dataplane interface to use as source interface. After that the traffic will perform route lookup - against the VR associated with source interface - to determine the next hop.Traffic will also pass over the security policy, so if your policy is very restrictive you need to make sure it is allowed
08-06-2024 12:39 PM
Hi @tcsmithh,
By default Palo Alto firewall will always use the dedicated management interface for services like authentication servers, DNS, NTP etc.
When you configure your RADIUS server, firewall will try to reach it over the dedicated management interface. Note that this traffic does not pass over the firewall policy, nor perform route look with any VR (virtual-router), it just uses the management default route.
If FW management network does not have access to RADIUS server you can tell the firewall to use one of the dateplane interface, by changing the relevant service route - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-...
With service routes you basically tell the firewall which dataplane interface to use as source interface. After that the traffic will perform route lookup - against the VR associated with source interface - to determine the next hop.Traffic will also pass over the security policy, so if your policy is very restrictive you need to make sure it is allowed
08-09-2024 07:16 AM
thank you very much, i was certain that was the case, but wanted verification....unless i do custom routing.... thanks again
08-09-2024 08:42 AM
Hi @tcsmithh ,
In the service routes config you can specify source interface per service, or per destinantion.
If you define source interface for RADIUS service, this will force the firewall to use the same interface for every RADIUS server you define.
Specifying source interface per destination allow you to have different RADIUS servers reachable from different interfaces/VRs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
