Prisma SD-WAN
Device Management Policies
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Device Management Policies
Prisma SD-WAN allows to configure the device management
policies.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The Device Management Policy allows administrators to control access to any L3 interface
(for example used for LAN, or Internet interfaces) of an ION device. This policy defines
which source IP addresses can communicate directly with these ports for common
management services such as ping, SSH, and SNMP. By default Internet ports are hardened
and do not allow any communication to its IP address with the exception of secure fabric
VPN formation.
When you need to expose the internet port to monitoring tools or for
direct SSH management, the device management policy gives you precise control
over which sources can access services on a device. You can also use this policy
to harden other port types (LAN, controller, and private WAN) by blocking
services that are enabled by default.
Default Behavior For Controller Port
- Internet (WAN) Ports: By default, access to Internet-facing ports is blocked for services like Ping, SNMP, and SSH. To enable these services, you must explicitly configure them in the Device Management Policy.
- LAN and Private WAN Ports: By default, LAN and private WAN ports are open, allowing services like Ping, SNMP, and SSH. You can use the Device Management Policy to block or restrict these services if needed.
Available Management Services and Protocols
When configuring the Device Management Policy, you can allow or restrict access for
the following services/protocols:
- DHCP: Dynamic Host Configuration Protocol, used for assigning IP addresses.
- PING: Packet Internet Groper, used to test network connectivity.
- SNMP: Simple Network Management Protocol, used for network device monitoring.
- SSH: Secure Shell, used for secure remote command-line access.
- TRACEROUTE: Used to trace the path a packet takes to reach a destination.
- BGP: Border Gateway Protocol, a routing protocol.
- SpokeHASync: This is the High Availability (HA) synchronization protocol used between two ION devices. While HA sync is often configured on a dedicated LAN-side interface, this protocol can also be managed through the Device Management Policy.
Use Cases
- Allowing Access to WAN Interfaces: Block all incoming access to WAN ports
by default and only allow specific services like SSH for administrative access,
if required.
- Restricting LAN Access: For security and operational reasons, you might
want to block certain services (For example, Ping) on internal LAN ports.