Use Interface Management Profiles to Restrict Access
An Interface Management profile protects the
firewall from unauthorized access by defining the protocols, services,
and IP addresses that a firewall interface permits for management
traffic. For example, you might want to prevent users from accessing
the firewall web interface over the ethernet1/1 interface but allow
that interface to receive SNMP queries from your network monitoring
system. In this case, you would enable SNMP and disable HTTP/HTTPS
in an Interface Management profile and assign the profile to ethernet1/1.
You
can assign an Interface Management profile to Layer 3 Ethernet interfaces
(including subinterfaces) and to logical interfaces (aggregate group,
VLAN, loopback, and tunnel interfaces). If you do not assign an
Interface Management profile to an interface, it denies access for
all IP addresses, protocols, and services by default.
The management (MGT) interface does not
require an Interface Management profile. You restrict protocols,
services, and IP addresses for the MGT interface when you Perform
Initial Configuration of the firewall. In case the MGT interface
goes down, allowing management access over another interface enables
you to continue managing the firewall. When enabling access to a
firewall interface using an Interface Management profile, make sure
you do not enable management access (HTTP, HTTPS, SSH, or Telnet)
from the internet or from other untrusted zones inside your enterprise
security boundary. Follow the Best
Practices for Securing Administrative Access to ensure that
you are properly securing management access to your firewall.
- Configure the Interface Management profile.
- Select NetworkNetwork ProfilesInterface Mgmt and click Add.
- Select the protocols that the interface permits for management traffic: Ping, Telnet, SSH, HTTP, HTTP OCSP, HTTPS, or SNMP.
- Select the services that the interface permits for
management traffic:
- Response Pages—Use to enable response pages for:
- Captive Portal—To serve Captive Portal response pages, the firewall leaves ports open on Layer 3 interfaces: port 6080 for NT LAN Manager (NTLM), 6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect mode. For details, see Configure Captive Portal.
- URL Admin Override—For details, see Allow Password Access to Certain Sites.
- User-ID—Use to Redistribute User Mappings and Authentication Timestamps.
- User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP—Use to Configure User-ID to Monitor Syslog Senders for User Mapping over SSL or UDP.
- (Optional) Add the Permitted IP Addresses that can access the interface. If you don’t add entries to the list, the interface has no IP address restrictions.
- Click OK.
- Assign the Interface Management profile to an interface.
- Select NetworkInterfaces, select the type of interface (Ethernet, VLAN, Loopback, or Tunnel), and select the interface.
- Select AdvancedOther info and select the Interface Management Profile you just added.
- Click OK and Commit.
Related Documentation
Network > Network Profiles > Interface Mgmt
Network > Network Profiles > Interface Mgmt An Interface Management profile protects the firewall from unauthorized access by defining the services and IP addresses that ...
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Export SAML Meta data from an Authentication Profile
SAML Metadata Export from an Authentication Profile Device > Authentication Profile The firewall and Panorama can use a SAML identity provider (IdP) to authenticateusers who ...
Best Practices for Securing Administrative Access
Learn the best practices for securing administrative access to your firewalls to prevent successful cyberattacks through an exposed management interface. ...
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications To protect critical applications and stop attackers from using stolen credentials to conduct lateral movement throughout your network, ...
Set Up Network Access for External Services
Set Up Network Access for External Services By default, the firewall uses the MGT port to access remote services, such as DNS servers, content updates, ...