Focus

Prisma SD-WAN

Device Management Policies

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

Create Prefix Filters

Configure Device Management Policy

Device Management Policies

Prisma SD-WAN allows to configure the device management policies.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Prisma SD-WAN license

The Device Management Policy allows administrators to control access to any L3 interface (for example used for LAN, or Internet interfaces) of an ION device. This policy defines which source IP addresses can communicate directly with these ports for common management services such as ping, SSH, and SNMP. By default Internet ports are hardened and do not allow any communication to its IP address with the exception of secure fabric VPN formation.

When you need to expose the internet port to monitoring tools or for direct SSH management, the device management policy gives you precise control over which sources can access services on a device. You can also use this policy to harden other port types (LAN, controller, and private WAN) by blocking services that are enabled by default.

Default Behavior For Controller Port

Internet (WAN) Ports: By default, access to Internet-facing ports is blocked for services like Ping, SNMP, and SSH. To enable these services, you must explicitly configure them in the Device Management Policy.
LAN and Private WAN Ports: By default, LAN and private WAN ports are open, allowing services like Ping, SNMP, and SSH. You can use the Device Management Policy to block or restrict these services if needed.

Available Management Services and Protocols

When configuring the Device Management Policy, you can allow or restrict access for the following services/protocols:

DHCP: Dynamic Host Configuration Protocol, used for assigning IP addresses.
PING: Packet Internet Groper, used to test network connectivity.
SNMP: Simple Network Management Protocol, used for network device monitoring.
SSH: Secure Shell, used for secure remote command-line access.
TRACEROUTE: Used to trace the path a packet takes to reach a destination.
BGP: Border Gateway Protocol, a routing protocol.
SpokeHASync: This is the High Availability (HA) synchronization protocol used between two ION devices. While HA sync is often configured on a dedicated LAN-side interface, this protocol can also be managed through the Device Management Policy.

Use Cases

Allowing Access to WAN Interfaces: Block all incoming access to WAN ports by default and only allow specific services like SSH for administrative access, if required.
Restricting LAN Access: For security and operational reasons, you might want to block certain services (For example, Ping) on internal LAN ports.

Create Prefix Filters

Configure Device Management Policy

Prisma SD-WAN Docs

Device Management Policies

Prisma SD-WAN Docs

Device Management Policies

Default Behavior For Controller Port

Available Management Services and Protocols

Use Cases

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources