topic Re: Interface Management profile with public IPs? in General Topics

Interface Management profile with public IPs?

OMatlock — Tue, 05 Feb 2019 19:30:52 GMT

Hi folks,

We have a PA200 that is in a remote branch location. It's connected via IPSec tunnel for management purposes.

After we had to switch it out last year because of a recall, I found it useful to create an interface management profile with our specific HQ public IPs access to it, in order to login to it when the IPSec tunnel was not available (or in case it was not available for whatever reason).

In general: Is it a good idea (or not), or common to maintain an interface management profile assigned to public interface with specific public IPs access only, as a backup connection option?

Thanks

Re: Interface Management profile with public IPs?

BPry — Wed, 06 Feb 2019 03:38:24 GMT

@OMatlock,

So this is where you kind of have to look at the risk vs reward aspect of things and see if it makes sense for your company. You're exposing management access from a public interface, and while you limited it via <permitted-ip> entries there is always the possibility that a bug in PAN-OS eventually gets discovered that allows someone to bypass that. That being said, it would still require that they actually be able to log into the device.

As for your question specifically, I feel like you've taken reasonable steps to secure device access while allowing a backup management method. I myself have many remote PA-200/PA-220s configured exactly like this for less sensitive environments. That being said, for remote health clinics or branch bank offices, I absolutely wouldn't expose the management services on a publically available interface even when using permitted IP entries. The risk of doing so simply wouldn't be worth avoiding an on-site visit.

Like I said, this depends on your particular companies risk assessment. For the majority of businesses, I would say you are doing things the best way you can while still being able to manage the device remotely if the tunnel goes down. If you work in a more risk-averse industry, it might not be worth it.

Re: Interface Management profile with public IPs?

aleksandar.astardzhiev — Wed, 06 Feb 2019 12:12:13 GMT

I really liked your comment @BPry!

The only think I could add is to configure two additional intrazone rules.

One to allow only specific public addresses to connect to the firewall public IP address

Second to deny any source to reach the firewall public IP.

On first look it doesn't make much sense, since the <permitted-ip> is doing the exact samething, but for the reason that you pointed out - you never knew when, a OS bug will be found to bypass the <permitted-ip>.

Re: Interface Management profile with public IPs?

OMatlock — Wed, 06 Feb 2019 14:56:01 GMT

Thank y'all for the feedback!!