Network > Network Profiles > Interface Mgmt

An Interface Management profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). To assign an Interface Management profile, see Network > Interfaces.
Do not attach an interface management profile that allows Telnet, SSH, HTTP, or HTTPS to an interface that allows access from the internet or from other untrusted zones inside your enterprise security boundary. This includes the interface where you have configured a GlobalProtect portal or gateway; GlobalProtect does not require an interface management profile to enable access to the portal or the gateway. Refer to the Best Practices for Securing Administrative Access for details on how to protect access to your firewalls and Panorama.
Do not attach an interface management profile that allows Telnet, SSH, HTTP, or HTTPS to an interface where you have configured a GlobalProtect portal or gateway because this will expose the management interface to the internet.
Field
Description
Name
Enter a profile name (up to 31 characters). This name appears in the list of Interface Management profiles when configuring interfaces. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Administrative Management Services
  • Telnet—Use to access the firewall CLI. Telnet uses plaintext, which is not as secure as SSH.
    Enable SSH instead of Telnet for management traffic on the interface.
  • SSH—Use for secure access to the firewall CLI.
  • HTTP—Use to access the firewall web interface. HTTP uses plaintext, which is not as secure as HTTPS.
    Enable HTTPS instead of HTTP for management traffic on the interface.
  • HTTPS—Use for secure access to the firewall web interface.
Network Services
  • Ping—Use to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server.
Permitted IP Addresses
Enter the list of IPv4 or IPv6 addresses from which the interface allows access.

Related Documentation