Remote Admin via ISP connected interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Remote Admin via ISP connected interface

L0 Member

I have a PA-440 that I need to be able to manage via it's ISP connected interface.  I did the intial setup via the MGT interface but when I had the device moved to it's permanent location, which is not connected to our WAN, I cannot get the login web page when trying to connect to it's internet IP address.  I have set the an Interface-Mgmt profile against the ISP connected interface and set allowances from some specific /24 address spaces that we own, but I can't get a login prompt via HTTPS or SSH.  I know that it can be done as I did real quick setup on a PA-460 I have in my office and with same type of settings, other than it's MGT interface still being connected to a WAN reachable local network, I was able to get the login screen and login when accessing it's ISP connected interface from one of my overseas datacenters.  What am I missing?

3 REPLIES 3

L4 Transporter

Hello @jeff_pawlowski , good afternoon.

 

So, from what I see you are trying to allow access through one of your Outside/Untrust/WAN interfaces. Question, so to this interface you attached a Management Profiles profile allowing certain Public IP ranges ( I imagine the Public not private ranges are the ranges... ), you enabled SSH/HTTPS and PING. Now from the public ranges you are allowing you have PING response to that Interface ( did you try removing the Permitted IP Addresses just temporarily to validate access and correct connectivity ? ).
Now another doubt, do you have Internet access working correctly from that PaloAlto you mention ? did you add the default route to the virtual router routing ? and did you validate that you have Internet access at least outbound from the public IP, the Gateway and the Internet ( from CLI ping source the PUBLIC IP of the WAN host interface the public IP to validate, example 1.1.1.1.1, 8.8.8.8.8 and your own public gateway, ideally add a trace ) ? Did you validate , although as it is from zone to untrsut to untrust, it should allow it by default unless you have made some adjustment at policy level, but did you validate in Monitor-Log-Traffic if there is any policy that may be restricting access ?

Now this is not the best practice, exposing your administration to the Internet, but if it is a requirement, the best thing to do is to apply the correct IP Permitted and at the same time restrict access to it from the outside adding a second layer of security with security policies.

Now more importantly, I recommend the best practice is to use GlobalProtect, I recommend enabling globalprotect, and once connected to globbalprotect, reach your MGT IP. At the Global protect level, you can restrict the IP(s), user and ip at the policy level and also at the permitted IP level on the MGT interface to allow only certain segments to reach, for example certain segments or trusted IPs on your LAN and certain IPs or IP range that you use for global protect.

Remember also that when you enable Global Protect, and you still want to reach from the outside directly to the public IP of your Firewall, the WEB-GUI HTTPS administration, port "4443" is used. So you must ensure that this SSL/HTTPS connection is allowed on port 4443 (Palo Alto Service).

 

How to Access the WebGUI when GlobalProtect Is Enabled:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8SCAS

 

Best regards

High Sticker

I will try the removing the "permitted" IP addresses in the Interface Management profile to see if I can at least get a ping response.  Access to the internet through the firewall is working as expected with a NAT policy and a couple of basic trust(Inside) to untrust(Outside) securuity policies.  I had my colleague go to a website like whatsmyipaddress and it showed the IP address of my ISP connected interface.

 

I'm not familiar with Global Protect, but if that is a best practice for this type of standalone firewall, I may have to explore that.  Do you think I have to add an explicit Security Policy as well?  Do you think I have to change any of the Service Route Configuration items from Default to the ISP connected interface?

Just validate that you do not have any conflict with the permitted IPs that you declare, remember, in the management profile that you are attaching to your WAN Interface, not in the MGT configuration, but in the management profile that you attached to the WAN interface.

 

Remember, they are public IP ranges, not private, if they are external, they have to be the public IP of the locations, from where you are allowing access to your web-gui.

No, the service routes are used when for example your MGT interface, the MGT interface IP, does not have an exit to the Internet and for example you want to use some other interface for services such as DNS, dynamic updates, among others.

Check if there is any policy that may be denying your traffic from the public IP where you intend to give access to your public IP, i.e. external zone to external zone (the default policy of Intrazone should allow it, but still better to check if there is such a setting).

And well, global protect is the VPN Remote Access service, so it adds an additional layer of security to not fully expose your admin web to the Internet, but you connect through global protect and then reach the MGT IP to manage the firewall.

A support link for global protect:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK 

 

Best regards

High Sticker
  • 2257 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!