Best Practices for Securing Administrative Access

Learn the best practices for securing administrative access to your firewalls to prevent successful cyberattacks through an exposed management interface.
Protecting your network from cyberattacks begins with a secure firewall deployment. If the network you use to manage your sensitive IT devices—including your Palo Alto Networks next-generation firewalls and Panorama—is not secured properly, you can’t detect and defend against vulnerability exploits that could lead to infiltration or the loss of sensitive data. The ultimate goal when securing firewall access is to ensure that even if an attacker gains access to privileged credentials, you can still thwart their ability to get in and do damage. Follow these best practice guidelines to ensure that you secure administrative access to your firewalls and other security devices in a way that prevents successful attacks.

Isolate the Management Network

All Palo Alto Networks firewalls provide an out-of-band management (MGT) port that you can use to perform firewall administration functions. Alternatively, you can use the MGT port for initial configuration and then configure a data port for management access to the firewall. Either way, because the management interface provides access to your Security configuration, you must take the following precautions to safeguard access to this interface:
Do not enable access to your management interface from the internet or from other untrusted zones inside your enterprise security boundary. This applies whether you use the dedicated management (MGT) port or a data port as your management interface.
  • Isolate the management interface on a dedicated management VLAN.
  • Limit the source IP addresses allowed in to the management network to IP addresses of your dedicated management devices, such as a jump server or a bastion host.
  • Use a jump server or bastion host (with screen recording) to provide secure access from your corporate network in to your dedicated management network and require that users authenticate and are authorized to access your management network.
  • If you don’t have a bastion host, use Authentication Policy with multi-factor authentication (MFA) to require administrators to successfully authenticate before you allow them to continue to the firewall web interface login page or CLI login prompt. This prevents access to the management interface using stolen credentials or through vulnerability exploits.
  • Limit access to users in your security administrator, network administrator, or IT user groups as appropriate for your organization.
  • If you must enable remote access to the management network, require access through a VPN tunnel using Prisma™ Access. After administrators successfully establish a VPN tunnel into your VPN zone, they must still authenticate in to the management network through your bastion host.
  • Do not use an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you configured a GlobalProtect portal or gateway because this configuration exposes the management interface to internet access. Also do not use HTTP or Telnet internally because these protocols transmit in cleartext.
  • If you are using a template to deploy a VM-Series firewall that includes a field for restricting management access to a specific IP address, supply a CIDR block that corresponds to your dedicated management IP addresses or network. If necessary, modify the corresponding security group to add additional hosts or networks after the template launch. Do not make the allowed source network range larger than necessary and never configure the allowed source using 0.0.0.0/0.

Use Service Routes to Access External Services

By default, the firewall uses the management (MGT) port to access services that are outside of the management network on potentially untrusted networks, such as DNS servers, NTP servers, and authentication servers. This includes services that require internet access, such as Palo Alto Networks services and AutoFocus™. Because your management interface—whether on the MGT port or a data port—must be isolated on the management network, you must use service routes (
Device
Setup
Services
Service Route Configuration
) to enable access to these services. When you configure a service route, the firewall uses the specified source interface and address to access the services you need. Specify the source IP address or interface for your service route on an interface that doesn’t allow management access (an interface that is not using HTTPS or SSH).
custom-service-route.png

Restrict Access to the Management Interface

  • Restrict the IP addresses that you permit to access the management interface.
    Even if your firewall is on a dedicated management network that is only accessible by a device on the same VLAN or through a bastion host or VPN tunnel, you can further secure the firewall by restricting the source IP addresses to administrators who are allowed to access the management interface. This prevents access from unexpected IP addresses or subnets and prevents access through stolen credentials.
  • Restrict the services that are available on the management interface.
    • Do not allow access over Telnet and HTTP because these services use plaintext, are not as secure as the other services, and could compromise administrator credentials. Instead, require administrators to access firewall interfaces over SSH or HTTPS.
    • Enable ping if you want to test connectivity to the interface but do not enable any other services on the management interface.
  • The way you configure these settings depends on whether you are using the MGT port or a data port for access to the firewall management interfaces:
    • If you are using the MGT port as your management interface, select
      Device
      Setup
      Interfaces
      and select the
      Management
      interface to configure the settings to restrict who can access the management interface and what services the interface allows.
      bp-management-interface-settings.png
    • If you are using a data port as your management interface, after you configure the interface, select
      Network
      Network Profiles
      Interface Mgmt
      and
      Add
      an interface management profile to restrict who can access the management interface and what services the interface allows.
      Do not attach an interface management profile that allows Telnet, SSH, HTTP, or HTTPS to an interface where you have configured a GlobalProtect portal or gateway because this will expose the management interface to the internet. Also, do not use HTTP or Telnet for any management interface profile because those protocols transmit in cleartext.
      interface-mgmt-profile-for-mgmt.png

Manage Administrator Access

  • Change the default admin account password (
    Device
    Administrators
    admin
    ) immediately after initial configuration. The firewall comes preconfigured with a default administrative account (admin) that provides full read-write access (also known as superuser access) to the firewall but you should not leave it with the default account password.
    If compliance, audit, or security requirements stipulate that you must remove the default administrative account from your devices, you can remove it only after you create at least one other superuser administrative account on the device.
  • Configure a Firewall Administrator Account for each individual who needs access to the administrative or reporting functions of the firewall. This allows you to better protect the firewall from unauthorized configuration (or modification) and to enable logging of the actions of each individual administrator.
  • Assign each administrator account to an admin role profile that limits management privileges to only those functions the individual administrator needs.
  • For administrators with change privileges, require MFA using external authentication and authorization using RADIUS or SAML (Configure Local or External Authentication for Firewall Administrators with MFA).
    If available, use privileged account management (PAM) or privileged identity management (PIM) solutions (or both) to secure administrator credentials externally.
  • Monitor the System logs to identify abnormal account activity on any of your administrator accounts. For example, if the logs show excessive login attempts or repeated logins at certain times of day, this may indicate that an administrative account is compromised. Also, educate all administrators about how to Use the Administrator Login Activity Indicators to Detect Account Misuse.

Create Strong Administrator Passwords

Configure a strict password policy that requires frequent password changes (
Device
Setup
Management
Minimum Password Complexity
).
You are responsible for assessing the appropriate password requirements for your organization; however, the following characteristics are best practices for creating strong passwords. Passwords should:
  • Be a minimum of eight characters
  • Not be based on a single dictionary word
  • Not include context specific words (for example, the name of a website)
  • Not include a username or derivatives of a username (for example, @dmin, Johnny)
  • Not have repetitive or sequential characters (for example, aaaaaa, 1234abcd)
  • Include uppercase and lowercase characters, numbers, and special characters (including spaces)
One way to create a strong password is to create a long passphrase rather than a complex password. Industry standards recommend creating long, unique passphrases that you will remember easily (using whatever characters you want, including dictionary words) instead of creating convoluted and complex passwords that are easy to forget. Longer passwords with a minimum of 15 characters are believed to compensate for the use of dictionary words. Try to create a passphrase based on long, familiar phrases that only you know or string together at least four words.
For more information on how to determine the appropriate password requirements for your organization, we recommend the following resources:

Scan All Traffic Destined for the Management Interface

Because security policy and decryption policy do not evaluate management plane traffic, you cannot directly scan the MGT port for threats. If you are using the MGT port as your management interface, consider routing traffic destined for the MGT port through a data port or through another firewall so that you can apply these important security checks to your management traffic.
  • Create Security policy rules to allow access to the management interfaces of the firewall and Panorama (web interface or CLI). How you define the policy depends on whether or not you are using a bastion host to enable access to the management network.
    • If you are not using a bastion host to isolate your management network, create a Security policy rule to allow access from the users zone to the IT Infrastructure zone. This Security policy rule must be very granular and must specify the source zone, source IP address (if available), and source user group of the user attempting to access the management interface. This rule must also specify the destination zone, IP address of the appliance (firewall or Panorama), and the App-ID to identify the specific management application (web interface or CLI) running on the application default port. For example, use the panos-web-interface App-ID to allow access to the web interface and the ssh App-ID to allow access to the CLI. You must also attach a Vulnerability Protection profile to the rule as described later in this section.
      The following example rule allows access from the users zone directly to the IT Infrastructure zone, and restricts access to users in the IT-admins group who are attempting to access the management interface IP address to access the panos-web-interface application on the application-default port only.
      bp-security-policy-mgmt-access.png
    • If you are using a bastion host to enable access to your management network, you need two Security policy rules: one rule to allow access from the user zone to the bastion host zone and a second rule to allow access from the bastion host zone to the IT infrastructure zone. Again, both of these Security policy rules should be as granular as possible and include source zone, address (if available), user and destination zone and address, and the App-ID. If you are using a bastion host, the user IP address is usually the IP address of the bastion host so you cannot identify the User-ID for the administrator unless you are using the Terminal Server agent on the bastion host to identify individual users. In this case, you must also attach a Vulnerability Protection profile to both rules as described later in this section.
      In the example rules that follow, the first rule allows access from the user zone to the Bastion-host zone for users in the IT-admins group who are attempting to access the specified bastion server IP address over SSH or RDP. The second rule allows access to users from the Bastion-host zone to the IT-infrastructure zone attempting to access the panos-web-interface application on the default port on the firewall with the specified destination address.
      bastion-host-rule.png
  • Attach a best practice Vulnerability Protection profile to the Security policy rules that allow access in to your management network to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. To create a profile for the purpose of protecting your management interface, clone the strict profile and then enable extended packet capture to help you track down the source of any potential attacks.
    vuln-bp.png
  • Configure SSL Inbound Inspection or Configure SSL Forward Proxy for traffic to or from the management interface to ensure that you can decrypt and scan the traffic for threats. Attach a best practice decryption profile to the decryption policy rule to ensure that you block vulnerable SSL/TLS versions such as TLS 1.0 and SSLv3 and that you reject sessions using weak encryption algorithms such as RC4 and 3DES and weak authentication algorithms such as MD5 and SHA1.

Replace the Certificate for Inbound Management Traffic

By default, the firewall ships with a default certificate that enables HTTPS access to the web interface over the management (MGT) interface or any other interface that supports HTTPS management traffic. To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization. Use certificates signed by your enterprise CA so that users won’t learn to ignore certificate warnings. In addition, in the SSL/TLS profile, set the
Min version
to
TLSv1.2
(the strongest protocol) and set the
Max version
to
Max
so that you continue to use the strongest protocol as stronger versions become available.

Keep Content and Software Updates Current

Current content and software updates ensure that you are always protected by the latest security patches and threat updates.

Related Documentation