Use Interface Management Profiles to Restrict Access
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 10.1
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
-
Cloud Management and AIOps for NGFW
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Use Interface Management Profiles to Restrict Access
An Interface Management profile protects the
firewall from unauthorized access by defining the protocols, services,
and IP addresses that a firewall interface permits for management
traffic. For example, you might want to prevent users from accessing
the firewall web interface over the ethernet1/1 interface but allow that
interface to receive SNMP queries from your network monitoring system.
In this case, you would enable SNMP and disable HTTP/HTTPS in an
Interface Management profile and assign the profile to ethernet1/1.
You
can assign an Interface Management profile to Layer 3 Ethernet interfaces
(including subinterfaces) and to logical interfaces (aggregate group,
VLAN, loopback, and tunnel interfaces). If you do not assign an
Interface Management profile to an interface, it denies access for
all IP addresses, protocols, and services by default.
The
management (MGT) interface does not require an Interface Management
profile. You restrict protocols, services, and IP addresses for
the MGT interface when you perform initial configuration of
the firewall. In case the MGT interface goes down, allowing management
access over another interface enables you to continue managing the
firewall.
When enabling access
to a firewall interface using an Interface Management profile, do
not enable management access (HTTP, HTTPS, SSH, or Telnet) from
the internet or from other untrusted zones inside your enterprise
security boundary, and never enable HTTP or Telnet access because
those protocols transmit in cleartext. Follow the Adminstrative Access Best Practices to
ensure that you are properly securing management access to your
firewall.
- Configure the Interface Management profile.
- Select NetworkNetwork ProfilesInterface Mgmt and click Add.
- Select the protocols that the interface permits for
management traffic: Ping, Telnet, SSH, HTTP, HTTP
OCSP, HTTPS, or SNMP.Don’t enable HTTP or Telnet because those protocols transmit in cleartext and therefore aren’t secure.
- Select the services that the interface permits for
management traffic:
- Response Pages—Use to enable response pages for:
- Captive Portal—To serve Captive Portal response pages, the firewall leaves ports open on Layer 3 interfaces: 6081 for Captive Portal in transparent mode and 6082 for Captive Portal in redirect mode. For details, see Authentication Policy and Authentication Portal.
- URL Admin Override—For details, see Allow Password Access to Certain Sites.
- User-ID—Use to Redistribute Data and Authentication Timestamps.
- User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP—Use to Configure User-ID to Monitor Syslog Senders for User Mapping over SSL or UDP.
- (Optional) Add the Permitted IP Addresses that can access the interface. If you don’t add entries to the list, the interface has no IP address restrictions.
- Click OK.
- Assign the Interface Management profile to an interface.
- Select NetworkInterfaces, select the type of interface (Ethernet, VLAN, Loopback, or Tunnel), and select the interface.
- Select AdvancedOther info and select the Interface Management Profile you just added.
- Click OK and Commit.