Use Interface Management Profiles to Restrict Access
An Interface Management profile protects the
firewall from unauthorized access by defining the protocols, services,
and IP addresses that a firewall interface permits for management
traffic. For example, you might want to prevent users from accessing
the firewall web interface over the ethernet1/1 interface but allow
that interface to receive SNMP queries from your network monitoring
system. In this case, you would enable SNMP and disable HTTP/HTTPS
in an Interface Management profile and assign the profile to ethernet1/1.
can assign an Interface Management profile to Layer 3 Ethernet interfaces
(including subinterfaces) and to logical interfaces (aggregate group,
VLAN, loopback, and tunnel interfaces). If you do not assign an
Interface Management profile to an interface, it denies access for
all IP addresses, protocols, and services by default.
management (MGT) interface does not require an Interface Management
profile. You restrict protocols, services, and IP addresses for
the MGT interface when you perform initial configuration of
the firewall. In case the MGT interface goes down, allowing management
access over another interface enables you to continue managing the
When enabling access
to a firewall interface using an Interface Management profile, do
not enable management access (HTTP, HTTPS, SSH, or Telnet) from
the internet or from other untrusted zones inside your enterprise
security boundary, and never enable HTTP or Telnet access because
those protocols transmit in cleartext. Follow the Best Practices for Securing Administrative
Access to ensure that you are properly securing management
access to your firewall.
Configure the Interface Management profile.
Select the protocols that the interface permits for
those protocols transmit in cleartext and therefore aren’t secure.
Select the services that the interface permits for
—Use to enable
response pages for:
Captive Portal response pages, the firewall leaves ports open on
Layer 3 interfaces: 6081 for Captive Portal in transparent mode
and 6082 for Captive Portal in redirect mode. For details, see Authentication Policy and Authentication