ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
Hello all, I am currently configuring an HA cluster (active / passive) with the following configuration: Primary (active) box: PA-820 ethernet1 / 1: 22.214.171.124/29 (external interface) ethernet1 / 2: 192.168.0.1/24 (internal interface) MGMT: 192.168.50.251/25 (Management interface) Secondary (passive) box: PA-820 ethernet1 / 1: No IP address, as this is the secondary (passive) box. ethernet1 / 2: No IP address, as this is the secondary (passive) box. MGMT: 192.168.50.252/25 (Management interface) The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed. What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role What options do I have left? An active / active HA configuration is eliminated because DHCP is needed on the firewall. Thanks for your help! Regards, Guido
... View more
OK, I added a new security policy with the information mentioned on the page "Best Practices for Securing Administrative Access". When I tried to initiate a session with my web browser I can see that the hit count of this policy raises; but still the login prompt does not appear in the browser. Of course, the network from which I initiate the connection was added to "Device --> Setup --> Interface --> Management --> Permitted IP Addresses". Or do I have to connect via GlobalProtect?
... View more
Hey everyone, I have the following active-passive-HA-scenario: ethernet1/1: External Interface (vpn termination point) ethernet1/2: Internal Interface MGMT: Management-Interface HA1: HA HA2: HA For administrative and monitoring purposes I need access from an external network to the WEB-GUI of both firewall-systems. Because of active-passive-HA, just one firewall is available at the same time. So I thought: Is it possible to establish a IPSec-Tunnel between two firewall to get access to the WEB-GUI: The ipsec tunnel works fine and I can see hits on the security policy which should allow the traffic from external network to the Management-Interface of the palo alto firewall. But the access via https does not work. 😞 My questions: - Is it possible to get access from external network via ipsec-tunnel to the Management-Interface of a Palo Alto Firewall? - Are there other ways to get access from external network via ipsec-tunnel to the WEB-GUI of both firewall-systems? Thanks in advance
... View more