Plan Administrative Access Best Practices

Best practices for planning to secure administrative access and traffic to management networks and interfaces.
If you’re in the planning stage of implementing your management network, follow these best practices to prepare for a safe deployment that follows the principles of least privilege for all management network access, and for access to the firewall and Panorama management interfaces. If you already deployed your management network, compare your architecture to the best practice recommendations and see if there is any way to further secure management access. After you deploy these best practices, your management network will allow access only to the administrators, services, and APIs required to manage firewalls and Panorama.
  • Set up a bastion host or a similarly hardened server for the sole purpose of providing access to the private management network. Lock down the bastion host as tightly as possible because it may allow access from administrators over the internet (via VPN) as well as internal access from outside the management network. Using the bastion host only for management network access is safest because the more services the host handles, the more potential vulnerabilities may be present.
    If you can’t set up a bastion host, create or use an existing management network specifically for firewall and Panorama management and restrict access to that network to only the administrators who have legitimate need to manage firewalls and Panorama. Ensure that administrators go through strict authentication before they can access the management network.
  • Set up User-ID on firewalls protecting the bastion host(s) and management network(s) and follow User-ID best practice recommendations. User-ID enables you to manage user group and individual user access in Security policy rules to provide an additional level of identification and protection along with specifying allowed IP addresses, zones, devices, and applications. Combining these objects in Security policy enables you to lock down management access and allow only the necessary traffic on device management interfaces.
  • Set up a centralized authentication system such as a privileged account management (PAM) or privileged identity management (PIM) solution to centralize control of access privileges.
  • Understand which administrators need to access the firewall and Panorama and the level of access that they need so that you can plan role-based access control (RBAC). Level of access means not just considering read-only versus read-write access, it means limiting administrative rights to view or change only the specific areas of the device that they manage. Granular RBAC requires individual administrator accounts so that you can use Admin Role profiles to control the exact access level for each administrator and may also require passing RADIUS attributes to the device.
  • Understand which services need management access to the firewall and Panorama. Allow only necessary services to access the management network and device management interfaces.
  • Audit, list, and understand all programmatic access requirements that leverage the firewall and Panorama APIs. For example:
    • Network-as-code and policy-as-code tools that modify the configuration, such as Ansible or Terraform.
    • Rulebase analysis and audit tools.
    • PAM/PIM tools.
    • DNS, DHCP, and IPAM (DDI) tools.
    • IT operations and service management tools.
    • In-house scripts and tools.
    • Any other programmatic access to the management interface.
    For each required programmatic access, list:
    • Admin accounts used.
    • Method of access (HTTP, SSH, or API).
    • Source IP address or network of the access.
    Filter the System logs for administrative login events to help with auditing existing programmatic access.
  • Ensure that your architecture enables you to inspect and log all inbound management traffic and to regularly monitor the traffic for suspicious activity.

Recommended For You