Protecting your network begins with a secure firewall deployment. It is very important to secure the management interface and management network to prevent exploitation. So even when an attacker or disgruntled (ex-)employee knows the login credentials of your devices, you can still prevent them from getting in.
Best practice is to use the out-of-band (mgt) port for the firewall administrative tasks. We understand that there are some scenarios where, instead of using the mgmt-port, one would configure one of the data ports for mgmt access to the firewall. Whatever your setup is, it is key to make it a hard target for the attackers and protect the firewall/Panorama and NEVER enable access to your mgmt interface from the internet or from other untrusted zones. This applies whether you use the dedicated management port (MGT) or you configure a data port as your management interface.
Below are some guidelines to reduce exposure to your management interface (Device > Setup > Interfaces > Management):
Isolate the management interface on a dedicated management VLAN.
Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials. (1)
Only permit secured communication such as SSH, HTTPS. (2)
Only allow PING for testing connectivity to the interface. (3)
Device > Setup > Interfaces > Management
If you're using a data port for the management of your device then you will work with a Management Profile to restrict access to the interface (Network > Network Profiles > Interface Mgmt😞
Network > Network Profiles > Interface Mgmt
Aside from limiting access to the management interface, there are also guidelines for the administrator accounts:
It is recommended to remove the default 'admin' account from your device. Note: You can only delete the default admin account using a new superuser account.
Default admin account was deleted by supremeleader
Do NOT share administrative accounts. Instead, create a separate account for each administrator. This allows you to better protect the firewall from unauthorized configuration. It also enables you to monitor every action of each individual administrator.
Assign admin roles to your different administrators and allow only those actions that are needed (some administrators might be allowed to change security policies, while others are only allowed to check log files, for example). The firewall has some predefined admin roles available, but you can easily configure your custom admin role profile (Device > Admin Roles).
Use one of the predefined profiles or create your own custom profile
Configure a strict password policy, including requiring frequent password changes (Device > Setup > Management > Minimum Password Complexity). Strong password policies protect you from various password hacking techniques.