Use Interface Management Profiles to Restrict Access
Focus
Focus

Use Interface Management Profiles to Restrict Access

Table of Contents
End-of-Life (EoL)

Use Interface Management Profiles to Restrict Access

An Interface Management profile protects the firewall from unauthorized access by defining the protocols, services, and IP addresses that a firewall interface permits for management traffic. For example, you might want to prevent users from accessing the firewall web interface over the ethernet1/1 interface but allow that interface to receive SNMP queries from your network monitoring system. In this case, you would enable SNMP and disable HTTP/HTTPS in an Interface Management profile and assign the profile to ethernet1/1.
You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). If you do not assign an Interface Management profile to an interface, it denies access for all IP addresses, protocols, and services by default.
The management (MGT) interface does not require an Interface Management profile. You restrict protocols, services, and IP addresses for the MGT interface when you Perform Initial Configuration of the firewall. In case the MGT interface goes down, allowing management access over another interface enables you to continue managing the firewall.
When enabling access to a firewall interface using an Interface Management profile, do not enable management access (HTTP, HTTPS, SSH, or Telnet) from the internet or from other untrusted zones inside your enterprise security boundary, and never enable HTTP or Telnet access because those protocols transmit in cleartext. Follow the Best Practices for Securing Administrative Access to ensure that you are properly securing management access to your firewall.
  1. Configure the Interface Management profile.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      and click
      Add
      .
    2. Select the protocols that the interface permits for management traffic:
      Ping
      ,
      Telnet
      ,
      SSH
      ,
      HTTP
      ,
      HTTP OCSP
      ,
      HTTPS
      , or
      SNMP
      .
      Don’t enable
      HTTP
      or
      Telnet
      because those protocols transmit in cleartext and therefore aren’t secure.
    3. Select the services that the interface permits for management traffic:
    4. (
      Optional
      )
      Add
      the Permitted IP Addresses that can access the interface. If you don’t add entries to the list, the interface has no IP address restrictions.
    5. Click
      OK
      .
  2. Assign the Interface Management profile to an interface.
    1. Select
      Network
      Interfaces
      , select the type of interface (
      Ethernet
      ,
      VLAN
      ,
      Loopback
      , or
      Tunnel
      ), and select the interface.
    2. Select
      Advanced
      Other info
      and select the Interface
      Management Profile
      you just added.
    3. Click
      OK
      and
      Commit
      .

Recommended For You