https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30797#M22546 <HTML><HEAD></HEAD><BODY><P>Hi Tim, </P><P></P><P>Following are the services which you can enable or disable on the management interface. You can locate this on Device tab--&gt; setup --&gt; management</P><P></P><P><IMG alt="Capture.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9001_Capture.PNG.png" style="width: 620px; height: 306px;" /></P><P></P><P>However if you have your management traffic passing through the firewall you can create a security policy to only allow the services that you want. Make sure you still need to get software and dynamic updates from the internet.</P><P>Following are the most services which takes management interface for communication unless specified differently. You can access this tab from Device tab--&gt; setup --&gt; services</P><P><IMG alt="Capture.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9002_Capture.PNG.png" style="width: 620px; height: 323px;" /></P><P>Hope this helps.<BR />Thanks</P><P>Numan</P></BODY></HTML> Wed, 09 Oct 2013 19:21:44 GMT mbutt 2013-10-09T19:21:44Z https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30796#M22545 <HTML><HEAD></HEAD><BODY><P>Knowing that one does not *usually* put a device management interface outside of the firewall, on the public Internet, in the case of PAN gateways is there any severe problem with this? I have a situation where putting the management of these devices on the private management network would require quite a bit of additional configuration, bandwidth use for updates, etc.</P><P></P><P>The only things that I have confirmed/know are listening are https/ssh/snmp, the first two of which are considered "secure". SNMP can be configured read-only easily enough.</P><P></P><P>What else would you consider a concern?</P></BODY></HTML> Wed, 09 Oct 2013 18:01:38 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30796#M22545 TimGrossner 2013-10-09T18:01:38Z https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30797#M22546 <HTML><HEAD></HEAD><BODY><P>Hi Tim, </P><P></P><P>Following are the services which you can enable or disable on the management interface. You can locate this on Device tab--&gt; setup --&gt; management</P><P></P><P><IMG alt="Capture.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9001_Capture.PNG.png" style="width: 620px; height: 306px;" /></P><P></P><P>However if you have your management traffic passing through the firewall you can create a security policy to only allow the services that you want. Make sure you still need to get software and dynamic updates from the internet.</P><P>Following are the most services which takes management interface for communication unless specified differently. You can access this tab from Device tab--&gt; setup --&gt; services</P><P><IMG alt="Capture.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/9002_Capture.PNG.png" style="width: 620px; height: 323px;" /></P><P>Hope this helps.<BR />Thanks</P><P>Numan</P></BODY></HTML> Wed, 09 Oct 2013 19:21:44 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30797#M22546 mbutt 2013-10-09T19:21:44Z https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30798#M22547 <HTML><HEAD></HEAD><BODY><P>This should be ok. Only http, ocsp, https, snmp, ping,telnet, user-id,ssh are available on management interface.</P><P>I would not allow 'ping' to allow everyone know its available.</P><P></P><P>Apart from above services, you can also restrict it to be available from only certain IPs - 'Permitted IPs'</P></BODY></HTML> Wed, 09 Oct 2013 23:37:25 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30798#M22547 ukhapre 2013-10-09T23:37:25Z https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30799#M22548 <HTML><HEAD></HEAD><BODY><P>Its possible to put the management interface on the outside network or on the Internet. The usual considerations apply - expose only the minimum footprint- only allow the traffic that needs to see it. In this case don't set it to respond to ICMP, only use encrypted protocols (SSL, SSH, etc.), and if at all possible limit the addresses that can login via the permitted IP list. </P></BODY></HTML> Mon, 28 Oct 2013 16:55:25 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface-outside-of-firewall/m-p/30799#M22548 SMF 2013-10-28T16:55:25Z