What Changes are Required When Changing the IP Address on an Internet-Facing Interface?

Ensure all required changes to the firewall configuration are made when changing the IP address on an internet-facing interface.

Palo Alto Networks firewall with an interface that has an ISP assigned public address.
 

A change to the public IP address will typically also require changes to the following:

• NAT policy (for source NAT private to public IP address or if hosting inbound services on the public IP address)
• PBF policy (if PBF is used, PBF would also set the next hop as the ISP router address)
• IPSec tunnels (any IPSec tunnels would need to be updated). PLEASE NOTE: The third party will also need to update their configuration to match your new public IP address.
• GlobalProtect portal (this is typically configured using the public IP address)
• Security policy (any policy that allows traffic to the public IP address. e.g., allowing GlobalProtect)
• Virtual Router (static routes will need to be updated with the new ISP router address or if using dynamic routing then the neighbour addresses would need to be updated)

The above changes are what is typically required. However, there may be additional changes required. Further checks can be done by performing a global search for the part of the ISP public IP address to see if any additional configuration needs to be updated. For example, if service routes have been changed from the default management interface to use the public ISP interface, this may also need to be updated.

Example below: The public IP address of the ISP interface is currently 203.203.203.1/30. Global search for "203.203.203" shows where configuration needs to be updated.