Pretty new to Palo Alto but so far very impressed with them. I have what seems like a pretty routine task, but I can't nail it.
We have a PA220 that we manage for a customer. We have a management profile applied to the outside interface, allowing https, ssh, and ping from our company public address. It works as expected.
Cogent wants to monitor it as well with pings, but if we add their source IP addresses to the management profile, they will also have the ability to ssh and https. I know they can't login, but on principle they should only have pingability.
It's not possible to assign multiple management profiles to an interface. And it looks like when we add a regular security rule to allow pingability on the outside interface from a specific source, the management profile takes precedence.
I was considering removing the management profile and using only security rules to allow our management access and Cogent's monitoring. I also something about NATing to a loopback address, but that sounds overly complicated. And something about configuring the management interface as another security zone, but again that sounds like it shouldn't be needed.
I've done a fair amount of Googling and so far have not found the ideal solution. I even found a Reddit question for the exact same scenario, but nobody actually answered the question.
Any suggestions?
No comments:
Post a Comment