An Interface Management profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). To assign an Interface Management profile, see Network > Interfaces.
Field Description
Name Enter a profile name (up to 31 characters). This name appears in the list of Interface Management profiles when configuring interfaces. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Permitted Services Ping —Use to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. Telnet —Use to access the firewall CLI. Telnet uses plaintext, which is not as secure as SSH. Therefore, as a best practice, enable SSH instead of Telnet for management traffic on the interface. SSH —Use for secure access to the firewall CLI. HTTP —Use to access the firewall web interface. HTTP uses plaintext, which is not as secure as HTTPS. Therefore, as a best practice, enable HTTPS instead of HTTP for management traffic on the interface. HTTP OCSP —Use to configure the firewall as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder. HTTPS —Use for secure access to the firewall web interface. SNMP —Use to process firewall statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring. Response Pages —Use this option to configure response pages: Captive Portal —The ports used to serve Captive Portal response pages are left open on Layer 3 interfaces—port 6080 for NTLM, 6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect mode. For details, see Device > User Identification > Captive Portal Settings. URL Admin Override —For details, see Device > Setup > Content-ID. User-ID —Use to Enable Redistribution of User Mappings Among Firewalls. User-ID Syslog Listener-SSL —Use to allow the PAN-OS integrated User-ID agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers. User-ID Syslog Listener-UDP —Use to allow the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
Permitted IP Addresses Enter the list of IPv4 or IPv6 addresses from which the interface allows access.

Related Documentation