Maintain Administrative Access Best Practices
Expand all | Collapse all
Maintain Administrative Access Best Practices
Best practices to maintain your secure administrative
access and traffic to management networks and interfaces deployment.
Ensure that your administrative access deployment
remains up-to-date and is not over-provisioned or under-provisioned,
and remain alert to attempts to compromise the deployment.
When administrative personnel change, update access
so that people who no longer administrate firewalls and Panorama
cannot access the management interface and network and so that new
administrators have the appropriate access with the appropriate
RBAC configuration.
Remove people who no longer
administrate the firewall or Panorama from user groups that have
management interface access permissions.
Remove the IP addresses of people who no longer administrate
the firewall or Panorama device from Security policy allow rules
for management interface access.
If you created
best practice Admin
Role Profiles, if an administrator no longer manages the
device, review the profile that administrator used to determine
if the profile needs to be modified or deleted:
Verify
if any other administrators use the profile. Do not delete the profile
if other administrators use it for access or you may disrupt service
or inadvertently change access.
Do you need to modify the profile? If other administrators
use the profile, changes may inadvertently allow or deny access
to those administrators.
If no other administrators use the profile, should you delete
it or do you need it for a new administrator who will have the same
responsibilities as the previous administrator?
If people no longer manage any devices in your management
network, remove their management network access.
Add new administrators to the appropriate user group, add
their IP addresses to the Security policy allow rules for management
access, and configure RBAC privileges that allow access only to
the portions of the device that they manage.
When services or API access for management tools changes,
update Security policy rules that allow access accordingly.
Similar to changes in administrative personnel, in firewall
and Panorama Security policy and for access to the management network,
ensure that you:
Remove access
privileges for services and tools that you no longer use.
Add access privileges for new services and tools using the
most granular policy to permit only the necessary connection (principle
of least privilege access).
Monitor System logs for administrators to identify abnormal
account activity, especially for administrators with roles that
permit changing key areas such as management access, administrative
users, or Security policy.
Configure
Log Forwarding for specific
log events and types. Use a method that notifies administrators
of events so that they can take action in a timely manner. Abnormal
activity may indicate a compromised administrator account. Look
for activity such as:
An
excessive number of login attempts.
Repeated login attempts at unusual times of day for the administrator.
Login attempts from unusual IP addresses or locations.
Creation of new user accounts (ensure that the new account
is legitimate).
Addition of new users to groups (ensure that the addition
is legitimate).
Unexpected password changes.
Policy and permission changes (Security policy, users, Security
profiles, Admin Role Profiles, etc.).
These activity indicators enable you to quickly view the
last login details of administrators and locate hosts that attempt
to log into the firewall or Panorama management server.