topic Re: Restrict Individual Administrators by Interface or IP in General Topics

Restrict Individual Administrators by Interface or IP

cosx — Thu, 26 Mar 2015 22:16:54 GMT

Is there a way to restrict access for specific administrators by interface or IP address? I really thought I'd seen this somewhere, but now I cannot find it in GUI or docs.

Quick explanation of what we want to do. We want to have a sort of backdoor, emergency access to the firewalls directly from the Internet. That is, should some catastrophic network event (big misconfiguration or failure of the firewalls themselves, the core network, or remote access devices) break our usual ability to log in via remote access VPN and come into the firewalls' management interfaces, we want to be able to connect directly into the firewalls from the Internet. These firewalls are in a data center, so it's at least a half-hour car ride even during business hours, plus we want our off-site managed services provider to also have this ability.

Usually, we use AD-backed authentication for administrators on the internal network. However, in the event of a failure, the AD servers may not be reachable, plus from a security point of view, using simple username-password authentication does not seem secure enough to face the Internet, even with source IP address restrictions. We would want to have a more secure local authentication method. Luckily, using public-key-based authentication (SSH keys and HTTPS client certs) are both options for local administrator authentication.

So, those local accounts would seem to work out fine, but how do we block regular AD-based authentication from the Internet and allow it for the special local accounts?

Re: Restrict Individual Administrators by Interface or IP

rrajendran — Thu, 26 Mar 2015 23:03:09 GMT

Hi,

I guess you are looking to configure permitted IP address, that would restrict only those users to access the public interface of the firewall.

You can refer the below document:

Allowing Specific IP Addresses to Access the Palo Alto Network Device

You would have to add the permitted IP addresses in the management profile (Network ->interface management).

Then call this profile in the interface (Network ->interface->advanced) settings.

By doing so, you would be allowing access just to those users associated with the IP addresses.

Regards,

Ramya

Re: Restrict Individual Administrators by Interface or IP

nnayak2 — Fri, 27 Mar 2015 01:02:38 GMT

Hi Cosx,

You can enable HTTPS and SSH on the public facing interface i.e. the untrust interface and specify the permitted ip-address as mentioned in below link.

Allowing Specific IP Addresses to Access the Palo Alto Network Device

To have another layer of security you can also create a security policy from untrust zone to untrust zone and specify which ip-addresses are allowed as source and also mention the HTTPS and SSH application. This helps if you have the intra-zone policy as block i.e. untrust to untrust zone as block.

Thanks,

Nitesh

Re: Restrict Individual Administrators by Interface or IP

cosx — Fri, 27 Mar 2015 16:18:59 GMT

Yes, I can limit source IP addresses at either the Interface Mangement level or within the Security Policy. But any administrator will then be able to access from the allowed IP addresses.

I want to restrict some IP addresses to only certain administrators. For example, the administrator "johndoe" can only access HTTPS or SSH management via the management interface and/or from 10.100.0.0/16. Another user, "joefailsafe," can get in over an Internet-facing interface from <some-public-internet>/29 addresses. Whether joefailsafe also has access via the management interface and internal IPs, I don't care. What I do not want is for johndoe to be able to get in from the Internet at <some-public-internet>/29.

Using the features mentioned in the two previous responses, there is no difference in accessibility for johndoe and joefailsafe. (Again, I'm not sure that there is a way to do this in PANOS. I thought I had seen the feature somewhere, but now I'm pretty sure I must have imagined it or be confusing our firewalls with some other device/OS.)

Re: Restrict Individual Administrators by Interface or IP

nnayak2 — Fri, 27 Mar 2015 17:09:30 GMT

1. You can do this for a admin user from AD, as you can mention the source user as well as the source ip-address in the same security policy which I mentioned in my previous update.

Here are the requirements for it

- user identification needs to be enabled on untrust interface

- AD needs to have the mapping of public ip-address and the user so that firewall can poll that information and map it to the security policy

There can be some drawbacks too:

- Firewall will try to talk to AD to resolve a name for any public ip-address coming on untrust interface.

This is will be a very high process intensive and can also have lot of system logs of failed attempts

2. Firewall might not map a local admin user and its ip-address for access to the firewall itself.

This can be a feature request which can be discussed with your account/sales team.

Re: Restrict Individual Administrators by Interface or IP

Warron_F — Tue, 28 Oct 2025 20:34:42 GMT

I need to do this 10 years later from the original post; however, the link provided no longer exist.

Can I get some support on this task, please?

Re: Restrict Individual Administrators by Interface or IP

PavelK — Wed, 29 Oct 2025 00:30:17 GMT

Hello @Warron_F

although I do not know what content was in the original link, this KB: Allowing Specific IP Addresses to Access the Palo Alto Network Device looks like having the same name and likely content as well.

Kind Regards

Pavel

Re: Restrict Individual Administrators by Interface or IP

Brandon_Wertz — Wed, 29 Oct 2025 12:34:07 GMT

@PavelK -- Unfortunately I don't think that link provides the details to accomplishing what's being asked, and really I don't think Palo can/ever had the ability to do what's being asked.

What's being asked is to tie an authorized user ID to a defined IP source. Meaning that you or I could be coming from the same IP but you're allowed and I'm not.

Re: Restrict Individual Administrators by Interface or IP

PavelK — Wed, 29 Oct 2025 22:16:57 GMT

Hello @Brandon_Wertz

thank you for reply.

I completely agree with you. In my post, I was replacing inaccessible link (DOC-8042) with a new link for KB and not referring it as a solution to original post.

Kind Regards

Pavel