Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

secure-management_LIVEcommunity.jpg

 

Protecting your network begins with a secure firewall deployment. It is very important to secure the management interface and management network to prevent exploitation. So even when an attacker or disgruntled (ex-)employee knows the login credentials of your devices, you can still prevent them from getting in.

 

Best practice is to use the out-of-band (mgt) port for the firewall administrative tasks. We understand that there are some scenarios where, instead of using the mgmt-port, one would configure one of the data ports for mgmt access to the firewall. Whatever your setup is, it is key to make it a hard target for the attackers and protect the firewall/Panorama and NEVER enable access to your mgmt interface from the internet or from other untrusted zones. This applies whether you use the dedicated management port (MGT) or you configure a data port as your management interface.

 

MGMT interface port on the NGFW 

 

Below are some guidelines to reduce exposure to your management interface (Device > Setup > Interfaces > Management):

 

  • Isolate the management interface on a dedicated management VLAN.
  • Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama.
  • Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials. (1) 
  • Only permit secured communication such as SSH, HTTPS. (2)
  • Only allow PING for testing connectivity to the interface. (3)

 

Device > Setup > Interfaces > ManagementDevice > Setup > Interfaces > Management
 
If you're using a data port for the management of your device then you will work with a Management Profile to restrict access to the interface (Network > Network Profiles > Interface Mgmt
 

Dataplane of the NGFW configured with an Interface Management Profile

 

 

Network > Network Profiles > Interface MgmtNetwork > Network Profiles > Interface Mgmt

 

Aside from limiting access to the management interface, there are also guidelines for the administrator accounts:

 

  • It is recommended to remove the default 'admin' account from your device.  Note: You can only delete the default admin account using a new superuser account.

 

Default admin account was deleted by supremeleaderDefault admin account was deleted by supremeleader

 

 

  • Do NOT share administrative accounts.  Instead, create a separate account for each administrator. This allows you to better protect the firewall from unauthorized configuration. It also enables you to monitor every action of each individual administrator.
  • Assign admin roles to your different administrators and allow only those actions that are needed (some administrators might be allowed to change security policies, while others are only allowed to check log files, for example). The firewall has some predefined admin roles available, but you can easily configure your custom admin role profile (Device > Admin Roles).

 

Use one of the predefined profiles or create your own custom profileUse one of the predefined profiles or create your own custom profile

 

 

  •  Configure a strict password policy, including requiring frequent password changes (Device > Setup > Management > Minimum Password Complexity). Strong password policies protect you from various password hacking techniques.

 

Device > Setup > Management >  Minimum Password ComplexityDevice > Setup > Management > Minimum Password Complexity

 

 

 

Can you think of other ways to secure your device management ? Feel free to add your comments below!

 

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

 

8 Comments
L1 Bithead

Hi,

 

Is it recommended to access PA firewall via another interface instead of Management Interface.

 

Regards,

Umesh Kumar

L0 Member

Consider implementing an air-gap by placing a separate switch between the management port and your main switch.  This intermediary switch can be remotely powered on or off as needed, using a smart power strip for easy control.  This approach is feasible for small businesses with a limited number of administrators.  However, if multiple administrators require access, it may introduce some limitations, as coordination will be needed to ensure one administrator is aware of another’s access needs.  Alternatively, multiple administrators could have the capability to power the switch and control the air-gap. This is one possible approach for enhancing network security.

L0 Member

Is there a best practice method to follow to complete disable "data port" access to the firewall?

1. To secure the access to the management interface of the firewall, we should use virtual domain like VDI and we can restrict the access to the management of the firewall by permitting only VDI subnet to management interface.

2. We can use a certificate for the management interface of the firewall. 

Steps are given below:

1. Create a certificate and generate the CSR.

2. Create SSL and TLS service profile for the newly created certificate.

3. Map the SSL & TLS certificate to the management interface of the firewall. 

--> device > setup > management > general setting > SSL/TLS service profile > select certificate.

 

Best regards

Anurag Ganvir

 

 

L4 Transporter

I would just like to add that if you are wanting/needing in band management, or simply to subject management traffic to more security inspection carryout the following 

 

  1. Add a Loopback interface for the management IP
  2. Put the loopback into it's own zone
  3. Attach the management profile, with a populated permitted list  to the loopback interface
  4. Create rules from all zones that you will access it from and apply security profiles to those rules
  5. Create deny rules specifically from any untrusted Zones
  6. Log at Session Start for more visibility
  7. Create log forwarding profile to alert via email of SNMP trap when rule is hit

This provides security inspection of the traffic, two layers of IP control and high visibility of admins accessing the mgmt interface.

L1 Bithead

Does anyone know if the "permitted ip" area still includes firewall to firewall traffic?  Previous versions of the OS used this same permitted ip area for admin traffic as well as firewall to firewall ACL. 

L2 Linker

I am finding that when using Panorama, every managed firewall needs to be able to connect back to the management IP of the Panorama appliance to pass the connectivity tests after pushing a new configuration to the firewalls. Otherwise, the configuration push will get rolled back because the firewall fails the connectivity test back to Panorama.

 

It also appears that when a pair of firewalls in are HA, the backup heartbeat is done through the management interfaces, so the management interface of each firewall needs to be open to the other management interface.

L4 Transporter

I should have just mentioned that where you have Active/Passive Firewalls the connectivity back to Panorama has to be through the mgmt interface, unless somebody knows of another way as the passive device has no connectivity through its Dataplane interfaces so will show as disconnected in Panorama until it becomes active.

So as long as you are still using mgmt interface (dedicated) to connect back to Panorama HA should be fine when in A/P mode, if using service routes to avoid bandwidth constriction on the mgmt interface there are two Panorama configs that should be left at either default (mgmt) or specifically select the mgmt interface.

Also helps to remember that in the HA scenario when using that Dataplane IP to connect to the firewall you will, of course, always connect to the Active firewall and will need an alternative way of connecting to the Passive.

 

Hope this helps.

  • 127434 Views
  • 8 comments
  • 22 Likes
Register or Sign-in
Labels