Why It's Essential to Secure Your Management Interface

This article written by Saad Khan.

Introduction

No network security system is secure if you don’t lock down administrative access to network devices. This is especially true for firewalls and security management devices such as Panorama because they are the gatekeepers and protectors of your network. Attackers who gain administrative access to these devices can reconfigure them in order to permit malicious access to your network remotely, facilitate the distribution of malware to endpoints, and even lock you out of your network.

Even with modern authentication methods applied, leaving the management exposed to the internet can expose the firewall to web-based attacks, including new zero-day vulnerabilities, brute force attacks, and operationally impacting DDoS attacks.  It is crucial to follow best practices and secure your firewall management interface in order to reduce the attack surface and protect your NGFW firewall and Panorama.

Secure Administrative Access Best Practices for Palo Alto Networks NGFWs

Watch this demo for securing your firewall management interface, which details best practices for securing your management interface, creating a secure admin account with restricted Role-Based access following best practices for account creation, and replacing the default master key to ensure all password hashes are encrypted with a unique master key.

Watch Now: Best Practices for Securing NGFW-MGMT interface

Best Practices for Securing NGFW-MGMT Interface

Video Player is loading.

Play Video

Play

Mute

Current Time 0:00

/

Duration 11:33

Loaded: 0%

00:00

Stream Type LIVE

Seek to live, currently behind liveLIVE

Remaining Time -11:33

 

1x

Playback Rate

Chapters

• Chapters

Descriptions

• descriptions off, selected

Captions

• captions settings, opens captions settings dialog
• captions off, selected

Audio Track

• en (Main), selected

Picture-in-PictureFullscreen

This is a modal window.

Beginning of dialog window. Escape will cancel and close the window.

Text

ColorWhiteBlackRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-Transparent

Background

ColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentTransparent

Window

ColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyTransparentSemi-TransparentOpaque

Font Size

50%75%100%125%150%175%200%300%400%

Text Edge Style

NoneRaisedDepressedUniformDropshadow

Font Family

Proportional Sans-SerifMonospace Sans-SerifProportional SerifMonospace SerifCasualScriptSmall Caps

Reset restore all settings to the default valuesDone

Close Modal Dialog

End of dialog window.

Close Modal Dialog

This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.

(view in My Videos)

This blog is a consolidated guidance document that provides an overview of the methods to access the management of Palo Alto Networks NGFWs securely. For detailed best practices, please review Deploy Administrative Access Best Practices.  

1. MGMT Interface Port on the NGFW
2. Dataplane of the NGFW Configured with an Interface Management Profile
3. Dataplane of the NGFW is Configured with an Interface Management Profile with Inspection of traffic
4. GlobalProtect VPN to Access Management Web Interface
5. Access to Management of Multiple Firewalls

Check if Your Device's Management Interface was Seen Exposed to the Internet

Palo Alto Networks detects public-facing customer NGFW internet management interfaces through routine, nonintrusive internet scanning. We analyze these results using proprietary indicators to attribute device attributes (such as firewall model) with a high degree of accuracy. Based on detected IP addresses, we are able to associate an internet-exposed firewall with the appropriate customer by cross-referencing the IP address to the serial number stored in our internal records.

We listed the firewalls that were discovered recently in the last few days in the Remediation Required list under the Assets section of the Customer Support Portal (Products → Assets → All Assets → Remediation Required). Devices have a last seen date to help identify the time of exposure detection. Devices no longer seen after a few days, drop off from the Remediation Required list. This list may not be complete, so make sure to verify that all of your firewalls are properly secured. 

Please refer to this KB article on How to Manage Unremediated Devices.

Details on Setting up the Management Access

Options 1 to 3 below apply for secure management access to a single firewall. For securing management access to multiple firewalls, see options 4 and 5. 

1. MGMT Interface Port on the NGFW

Follow the document here for guidelines on reducing exposure to your management interface when directly using the MGMT port of the firewall. Ensure that inbound traffic comes only from a list of permitted IP addresses, not open to anyone from the Internet. 

2. Dataplane of the NGFW Configured with an Interface Management Profile

Follow the document here and refer to the section “Dataplane of the NGFW configured with an Interface Management Profile”  when using the dataplane of an interface to allow management access. Ensure that inbound traffic comes only from a list of permitted IP addresses, not the open Internet. 

3. Dataplane of the NGFW Configured with an Interface Management Profile with Inspection of traffic

When using the dataplane of NGFW to access management, it is possible to inspect and log the management traffic by enabling inbound decryption with a security profile. Below is an outline of the steps required. Ensure that inbound traffic comes only from a list of permitted IP addresses, not the open Internet.

1. Enforce an intra-zone policy (e.g., Untrust to Untrust for the dataplane interface that hosts the Interface Management Profile) that defines specific sources and destinations in the security rule to restrict access, 
2. Configure the Permitted IP in the Interface Management profile, restricting access to only specific trusted IPs or Subnets. (IP’s should include Panorama if used (customers often miss this)
3. Enable SSL Inbound Decryption to inspect inbound traffic on this dataplane interface with the management profile.
   Note: Ensure that you must replace the default management certificate for your firewall or Panorama; for more information, see Replace the Certificate for Inbound Management Traffic.
   
4. Configure Threat Prevention features in the security policy. 
5. Apply EDL  ‘Palo Alto Networks - Known malicious IP addresses.’  Source untrusted side of firewall, destination any, application and service any, and set action block. 

4. GlobalProtect VPN to Access Management Web Interface

This method can be used to access the management of the firewall hosting the GlobalProtect gateway or other firewalls inside the network behind the GlobalProtect gateway. 

Note: When setting up a GlobalProtect Gateway or Portal, do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have configured a GlobalProtect portal or gateway because this enables access to your management interface from the open Internet on port 4443. 

1. For management access over GlobalProtect: You can enable MGMT HTTPS access on the tunnel interface where the GlobalProtect tunnel connection terminates. This will ensure that all communication is secure and not exposed to the open Internet.
   
2. Configure an Intra-Zone Security policy (e.g., GP-Zone to GP-Zone) to restrict access by source, destination, and user/user group to specific destinations.
   
3. Enable SSL Inbound Decryption using the mgmt certificate to inspect inbound traffic. Follow the Scan All Traffic Destined for the Management Interface.
   
   Note: Follow Decryption Best Practices to eliminate weak ciphers and algorithms based on applicable compliance regulations. Do not decrypt outbound management or service route traffic from the firewall to Panorama. Do not configure SSL Forward Proxy decryption to decrypt outbound management traffic from the firewall or Panorama. Outbound management traffic to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses, and AutoFocus can be set up through a Service Route.

5. Access to Management of Multiple Firewalls

1. To access management of multiple firewalls, in addition to using option 4 above for GlobalProtect, you can set up the dataplane of another firewall to receive all inbound management traffic (similar to options 2 and 3 above) and then send that traffic to the management interface of other firewalls.