09-18-2020 11:29 AM
Hi @Efrain_Olmos ,
You need to understand that PAN firewalls have strict separation between management plane and data plane including the routing for the mgmt and data interfaces. So there is no way to route traffic received by data plane interface to the dedicated management interface, without sending this traffic via another device (switch or router).
As mentioned earlier most straight forward approach would be to create loopback, assign it with mgm-int profile and build IPsec tunnel that will accept traffic destine to that loopback (assigning the tunnel interface with IP will also do the trick).
Basically it is the same approach if you use GlobalProtect, the same concept, but the tunnel is client-to-site, not site-to-site.
The biggest disadvantage of these approaches is if you have active-passive HA you will be able to reach only the current active member (since both members in the cluster are sharing one ip).
So if you want to monitor both members at the same time - any solution that involves dataplane interface with interface-management profile will not work. You will need to use the dedicated/oob management port. In that case you will need to use additional switch or a router that will make the connection between the dataplane interface and the mgmt. For example - you can connect the inside interface and mgmt interface to the same vlan, so when you build the ipsec traffic will first exit the fw, pass the layer2 switch and go to the mgmt interface. Or if the site is bit bigger and you use different networks/vlans for the mgmt and the inside you can put a route on the fw that it needs to route to the mgmt network via the core switch.
