Management Profile on Public Loopback IP not Working with Shared Gateway

Management Profile on Public Loopback IP not Working with Shared Gateway

0
Created On 09/26/18 13:53 PM - Last Modified 07/19/22 23:11 PM


Resolution


Symptoms

A loopback interface was configured with a public IP addres to be used to connect to the management interface as the VSYS shared gateway is also used in destination NAT rules. Port 443 is redirected to internal web servers so attempting to create a management profile for that IP address would cause conflicts.

When attempting to connect to the loopback's IP address, the connection does not work.

Issue

When a firewall is configured with a VSYS shared gateway, it is not possible to specify a source zone for address translation rules. Trying to access the management GUI by connecting to a loopback interface configured with a public IP does not work because the connection will hit the outbound NAT rule and will translate the packet to the shared gateway's IP address.

Resolution

Create the following NAT rule and place it at the top of the NAT policy

  • Source: Untrust zone
  • Destination: Untrust zone
  • Destination IP: Loopback IP address
  • Translated packet: None

owner: jteetsel
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxvCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail