Best practices for securing administrative access and
traffic to management networks and interfaces.
No network security system is secure
if you don’t lock down administrative access to network devices.
This is especially true for firewalls and security management devices
such as Panorama because they are the gatekeepers and protectors
of your network. Attackers who gain administrative access to these
devices can reconfigure them in order to permit malicious access
to your network remotely, facilitate the distribution of malware
to endpoints, and even lock you out of your own network.
To safeguard your network from such attacks, follow
the best practices in this document—scan administrative traffic
for threats, and secure administrator and programmatic access to
device management, the management network, and the management interface.
This document contains a streamlined checklist of planning, deployment,
and maintenance best practices so that you can secure administrative
access to your PAN-OS firewall and Panorama devices. Each section
includes links to detailed information in the PAN-OS Admin Guide
that shows how to configure different aspects of administrative
access in case you’re not familiar with some of the procedures.
This best practice guide is written from the point-of-view
of a new deployment to show how to create a secure management network
and configure secure access to firewall and Panorama management
interfaces. However, many enterprises have an existing management
security strategy and implementation. For existing deployments,
these are the recommended best practices to migrate to and to keep
in mind if you overhaul your management network security. If you
haven’t adopted these best practices in an existing framework, adopt
them if possible to tighten security around administrative access.