Integrate the Firewall into Your Management Network
All Palo Alto Networks firewalls provide an out-of-band
management port (MGT) that you can use to perform the firewall administration
functions. By using the MGT port, you separate the management functions
of the firewall from the data processing functions, safeguarding
access to the firewall and enhancing performance. When using the
web interface, you must perform all initial configuration tasks from
the MGT port even if you plan to use an in-band data port for managing
your firewall going forward.
Some management tasks, such as retrieving licenses and updating
the threat and application signatures on the firewall require access
to the Internet. If you do not want to enable external access to
your MGT port, you will need to either set up an in-band data port
to provide access to required external services (using service routes)
or plan to manually upload updates regularly.
Do not enable access to your management
interface from the internet or from other untrusted zones inside
your enterprise security boundary. This applies whether you use
the dedicated management port (MGT) or you configured a data port
as your management interface. When integrating your firewall into
your management network, follow the
Best
Practices for Securing Administrative Access to ensure that
you are securing administrative access to your firewalls and other
security devices in a way that prevents successful attacks.
The following topics describe how to perform the initial configuration
steps that are necessary to integrate a new firewall into the management
network and deploy it in a basic security configuration.
The following topics describe how to integrate a single
Palo Alto Networks next-generation firewall into your network. However,
for redundancy, consider deploying a pair of firewalls in a
High
Availability configuration.