https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64586#M38694 <P>Thanks guys; will be configuring it behind a firewall on the OOBM&nbsp;link.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 14 Sep 2015 17:14:49 GMT Huddlebuy 2015-09-14T17:14:49Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64329#M38590 Hi, Is it a good idea to connect the mgmt interface directly to wan ? or should it only be accessible locally and via an access server for remote management ? Wed, 09 Sep 2015 10:40:37 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64329#M38590 Huddlebuy 2015-09-09T10:40:37Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64330#M38591 <P>It's a very bad idea.</P><P>&nbsp;</P><P>If you really want mgmt access directly from WAN; put management profile on some other L3 interface connected to WAN and restrict access within management profile and with firewall rules. This way you can also put security profiles on this rule, zone protection etc.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 09 Sep 2015 10:47:43 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64330#M38591 santonic 2015-09-09T10:47:43Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64344#M38601 <P>Hi Huddlebuy,</P><P>&nbsp;</P><P>Personally I like to setup GlobalProtect for businesses which require remote management to the PA firewalls.. As you get a single free portal and gateway license prior to version 7 (Portal license is free).</P><P>&nbsp;</P><P>Setup GlobalProtect and enable HTTPS and/or SSH in an interface&nbsp;management profile and add to&nbsp;the GlobalProtect Tunnel Interface.</P><P>&nbsp;</P><P>Hope this helps.</P><P>regards,</P><P>Ben</P> Wed, 09 Sep 2015 13:47:32 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64344#M38601 Ben-W 2015-09-09T13:47:32Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64371#M38615 <P>I'd go a step further and restrict access for a specific set of IPs or Networks.</P> Wed, 09 Sep 2015 18:35:20 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64371#M38615 Brandon_Wertz 2015-09-09T18:35:20Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64551#M38675 <P>Yeah, for normal everyday access to firewall VPN client and accessing mgmt interface in LAN is the way to go. But access directly from WAN is&nbsp;typcially needed&nbsp;when something is wrong with the firewall. In that case GP might not be working and you won't be able to use such access. Then a mgmt access to WAN is needed but should only be allowed from a few IPs.</P> Mon, 14 Sep 2015 07:33:43 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64551#M38675 santonic 2015-09-14T07:33:43Z https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64586#M38694 <P>Thanks guys; will be configuring it behind a firewall on the OOBM&nbsp;link.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 14 Sep 2015 17:14:49 GMT https://live.paloaltonetworks.com/t5/general-topics/management-interface/m-p/64586#M38694 Huddlebuy 2015-09-14T17:14:49Z