This is Tom with the Community team and today we're going to take a look at how to harden your configuration.
The Palo Alto firewalls have been designed with security in mind, but you still need to take a couple of steps to improve the security of your management interface.
One of the first things you'll want to do is change the default administrator password. If you browse over to the device tab and go to administrators:
This will already prevent any unauthorized access while you prepare your firewall for further deployment.
Another step is to segregate administrators into different groups and provide them different access. You can do this by going to the admin roles and creating a new role. There are a couple of defaults in there already but I'll start with a fresh one to demonstrate what we can do.
For example, if we have a group of administrators that only need to have access to specific logs for example. We can simply deactivate all the parts they don't need access to. For example, we can disable policies, we can disable objects, networks, the device tab. If we don't want them to be able to see full IP addresses or usernames attached in logs, we can disable those for privacy as well.
If we now create an administrator and set it to 'role based' and choose the log-admin profile.
Let's just go ahead and commit this...
I'm going to log out, and then I'm going to log back in as the newly created logadmin.
As you can see, several of the usual tabs have been removed: there's no more network tab, there's no more objects, there's no more system. The only thing that's available are the features that were left in the profile. So I can now only access the Dashboard, ACC and the monitor with this administrator account. All the IP addresses have also been anonomized, so this administrator cannot identify a single IP address.
Let me log back on.
From the management tab, you can select the Minimum Password Complexity:
This will allow you to set several parameters, like minimum password length, minimum number of upper/lower , numeric and special characters. Block repeating of characters. It can require administrators to change their password upon the first logon and set a period of time each password will be valid for.
Let's set a couple of common values like a minimum password length of seven, minimum number of uppercase one, minimum number of lower case one, minimum numeric one, minimum number of special characters one. let's prevent the reuse of 2 passwords, require changing the password every sixty days, have a ten-day grace period before the password needs to be changed and then require the administrator to change their password the first time they log on.
You can also set a password profile, which is a simplified version of the minimum password complexity. The minimum password complexity is going to be applied globally where a password profile can be applied to a single administrator where it will override the global setting. So if i change this to, for example, ten days and nothing else, I can go to the administrators and override the global setting with my password profile.
Next step: limiting access to the interface itself is always a good idea. If we go to the setup tab and select interfaces, and then open the management interface.
First off, you can select which services are made available on the interface itself. It's always a good idea to disable ping, that makes the interface undiscoverable by ping: makes it less likely for someone to stumble upon the interface. Same goes for any management profiles applied to the dataplane interfaces. And add a list of permitted IP addresses for your administrators , either a subnet or a single slash thirty-two (.../32) IP addresses so that only those IP addresses will have access to this interface.
For the dataplane interfaces, you can go to the Network tab, access the interface Management, create a profile, enable the services you want to be made available. so for administrators SSH and SSL can be interesting. SNMP might be a good idea for some monitoring, and then add any and all IP addreses that should be allowed to access this interface including any SNMP monitor. then go ahead and access the interface, and add the profile to the interface.
While we're on the topic of SNMP, if you go to operations and alter the SNMP setup, we can change the SNMP community string to something complex, so that it cannot be easily guessed and people cannot abuse your SNMP environment, or if you have an SNMPv3 enabled SNMP server, go ahead and enable this, which is even more secure.
Lastly, it might be a good idea to set up a log forwarding profile for system logs, right here, for your configuration log entries. That way, if something happens on your system, maybe someone changes your configuration or something else happens, your logs will be forwarded off system onto maybe a Panorama or possibly an email address.
Let me show you how that looks: you can add a email profile, you can add a server, a display name, from, to , additional recipient (let's leave that empty for now), and then the email gateway.
My last recommendation is more of a physical nature: make sure that the management interface is located in a segregated network, either an out-of-band network or a separate VLAN, that can only be accessed by the administrators that are supposed to be accessing that interface.
Now, the final steps: