We have a PA200 that is in a remote branch location. It's connected via IPSec tunnel for management purposes.
After we had to switch it out last year because of a recall, I found it useful to create an interface management profile with our specific HQ public IPs access to it, in order to login to it when the IPSec tunnel was not available (or in case it was not available for whatever reason).
In general: Is it a good idea (or not), or common to maintain an interface management profile assigned to public interface with specific public IPs access only, as a backup connection option?
Solved! Go to Solution.
So this is where you kind of have to look at the risk vs reward aspect of things and see if it makes sense for your company. You're exposing management access from a public interface, and while you limited it via <permitted-ip> entries there is always the possibility that a bug in PAN-OS eventually gets discovered that allows someone to bypass that. That being said, it would still require that they actually be able to log into the device.
As for your question specifically, I feel like you've taken reasonable steps to secure device access while allowing a backup management method. I myself have many remote PA-200/PA-220s configured exactly like this for less sensitive environments. That being said, for remote health clinics or branch bank offices, I absolutely wouldn't expose the management services on a publically available interface even when using permitted IP entries. The risk of doing so simply wouldn't be worth avoiding an on-site visit.
Like I said, this depends on your particular companies risk assessment. For the majority of businesses, I would say you are doing things the best way you can while still being able to manage the device remotely if the tunnel goes down. If you work in a more risk-averse industry, it might not be worth it.
I really liked your comment @BPry!
The only think I could add is to configure two additional intrazone rules.
One to allow only specific public addresses to connect to the firewall public IP address
Second to deny any source to reach the firewall public IP.
On first look it doesn't make much sense, since the <permitted-ip> is doing the exact samething, but for the reason that you pointed out - you never knew when, a OS bug will be found to bypass the <permitted-ip>.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!