01-29-2026 03:03 AM - edited 01-29-2026 04:07 AM
Hi There,
I would like to establish an IPSEC VPN connection between the Palo Alto firewalls and the Fortigate. This setup is necessary to allow remote access to the Palo Alto firewalls from the Citrix servers. This is for Management connectivity.
The inquiry is, IPSEC VPNs are generally configured to facilitate the passage of data traffic
1. I want to access the PA FW MGMT IP over an IPSEC VPN. Is it doable?
2. Shall I create a Loopback interface and assign a Interface MGMT profile and with this design, I believe I can access only the 'Active' firewall and not the 'passive' one.
How to overcome this caveat?
Cheers,
01-29-2026 07:34 AM
You are correct on both points.
Yes you can set up IPSec to access mgmt interface. Assumingly you have mgmt interface connected to separate management vlan/zone so you need to set up security policy to permit traffic from VPN to Palo mgmt IPs.
And yes if you use loopback or dataplane interface then you can access only active firewall.
01-29-2026 07:38 AM
Many thanks for your reply.
If I talk about MGMT IPs, I believe you're referring about the Loopback/In-band Interface and not the MGMT port.
Can we access the PA FW over the MGMT port itself via IPSEC VPN?
01-29-2026 11:03 AM
Hi @90435srinivasan ,
Do you have a switch on site? If so, connect the management interfaces to the switch and access them like you would any other. You can access them over the VPN. You would also be able to connect to the passive firewall.
Thanks,
Tom
01-29-2026 07:11 PM
Hi @TomYoung
Thanks for your reply. I'm referring about the Out of Band MGMT port.
As you know, since it's not part of any security zones, security policy won't be applicable. Is my assumption correct?
In that case, we'd need to use an In-band port (or loopback) and assign to a dedicated zone (MGMT-VPN) and allow security policy (MGMT-VPN to VPN).
I believe in this scenario, only the active firewall would be reachable as it holds the IP address.
Do correct me if I miss anything.
01-30-2026 07:36 AM
You can't route traffic directly from dataplane to management plane. There has to be switch in between.
Below is example using random vlans and IPs.
And then firewall policy can be added to permit traffic from VPN zone to management zone towards Palo mgmt IPs.
01-30-2026 07:57 AM - edited 01-30-2026 09:22 AM
Thanks for your reply and sorry if I sound so silly.
As far as I know, dedicated out of band management interface isn't part of any security zone.
Based on the above example, if the dedicated MGT port to be accessed via IPSEC VPN, can you pls let me know how the routing should be setup?
Again, to the best of my knowledge, MGMT interface doesn't use the VR as this is for data-interface.
Please correct me if I miss anything 😊
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
