This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Why It's Essential to Secure Your Management Interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Why It's Essential to Secure Your Management Interface

khans
L3 Networker

on ‎01-08-2025 04:26 PM - edited on ‎01-09-2025 11:29 AM by

No ratings

This article written by Saad Khan.

 

 

Introduction

 

No network security system is secure if you don’t lock down administrative access to network devices. This is especially true for firewalls and security management devices such as Panorama because they are the gatekeepers and protectors of your network. Attackers who gain administrative access to these devices can reconfigure them in order to permit malicious access to your network remotely, facilitate the distribution of malware to endpoints, and even lock you out of your network.

 

Even with modern authentication methods applied, leaving the management exposed to the internet can expose the firewall to web-based attacks, including new zero-day vulnerabilities, brute force attacks, and operationally impacting DDoS attacks.  It is crucial to follow best practices and secure your firewall management interface in order to reduce the attack surface and protect your NGFW firewall and Panorama.

Secure Administrative Access Best Practices for Palo Alto Networks NGFWs

 

Watch this demo for securing your firewall management interface, which details best practices for securing your management interface, creating a secure admin account with restricted Role-Based access following best practices for account creation, and replacing the default master key to ensure all password hashes are encrypted with a unique master key.

 

Watch Now: Best Practices for Securing NGFW-MGMT interface
(view in My Videos)

 

This blog is a consolidated guidance document that provides an overview of the methods to access the management of Palo Alto Networks NGFWs securely. For detailed best practices, please review Deploy Administrative Access Best Practices.  

 

  1. MGMT Interface Port on the NGFW
  2. Dataplane of the NGFW Configured with an Interface Management Profile
  3. Dataplane of the NGFW is Configured with an Interface Management Profile with Inspection of traffic
  4. GlobalProtect VPN to Access Management Web Interface
  5. Access to Management of Multiple Firewalls

 

Details on Setting up the Management Access

Options 1 to 3 below apply for secure management access to a single firewall. For securing management access to multiple firewalls, see options 4 and 5. 

 

1. MGMT Interface Port on the NGFW

Follow the document here for guidelines on reducing exposure to your management interface when directly using the MGMT port of the firewall. Ensure that inbound traffic comes only from a list of permitted IP addresses, not open to anyone from the Internet. 

 

Fig 01_palo-alto-networks.jpg.png

 

2. Dataplane of the NGFW Configured with an Interface Management Profile

Follow the document here and refer to the section “Dataplane of the NGFW configured with an Interface Management Profile”  when using the dataplane of an interface to allow management access. Ensure that inbound traffic comes only from a list of permitted IP addresses, not the open Internet. 

 

Fig 02_palo-alto-networks.jpg.png

 

3. Dataplane of the NGFW Configured with an Interface Management Profile with Inspection of traffic

When using the dataplane of NGFW to access management, it is possible to inspect and log the management traffic by enabling inbound decryption with a security profile. Below is an outline of the steps required. Ensure that inbound traffic comes only from a list of permitted IP addresses, not the open Internet.

 

  1. Enforce an intra-zone policy (e.g., Untrust to Untrust for the dataplane interface that hosts the Interface Management Profile) that defines specific sources and destinations in the security rule to restrict access, 
  2. Configure the Permitted IP in the Interface Management profile, restricting access to only specific trusted IPs or Subnets. (IP’s should include Panorama if used (customers often miss this)
  3. Enable SSL Inbound Decryption to inspect inbound traffic on this dataplane interface with the management profile.
    Note: Ensure that you must replace the default management certificate for your firewall or Panorama; for more information, see Replace the Certificate for Inbound Management Traffic.
  4. Configure Threat Prevention features in the security policy. 
  5. Apply EDL  ‘Palo Alto Networks - Known malicious IP addresses.’  Source untrusted side of firewall, destination any, application and service any, and set action block. 

 

4. GlobalProtect VPN to Access Management Web Interface

This method can be used to access the management of the firewall hosting the GlobalProtect gateway or other firewalls inside the network behind the GlobalProtect gateway. 

 

Note: When setting up a GlobalProtect Gateway or Portal, do not attach an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have configured a GlobalProtect portal or gateway because this enables access to your management interface from the open Internet on port 4443

 

  1. For management access over GlobalProtect: You can enable MGMT HTTPS access on the tunnel interface where the GlobalProtect tunnel connection terminates. This will ensure that all communication is secure and not exposed to the open Internet.
  2. Configure an Intra-Zone Security policy (e.g., GP-Zone to GP-Zone) to restrict access by source, destination, and user/user group to specific destinations.
  3. Enable SSL Inbound Decryption using the mgmt certificate to inspect inbound traffic. Follow the Scan All Traffic Destined for the Management Interface.

    Note: Follow Decryption Best Practices to eliminate weak ciphers and algorithms based on applicable compliance regulations. Do not decrypt outbound management or service route traffic from the firewall to Panorama. Do not configure SSL Forward Proxy decryption to decrypt outbound management traffic from the firewall or Panorama. Outbound management traffic to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses, and AutoFocus can be set up through a Service Route.

 

5. Access to Management of Multiple Firewalls

    1. To access management of multiple firewalls, in addition to using option 4 above for GlobalProtect, you can set up the dataplane of another firewall to receive all inbound management traffic (similar to options 2 and 3 above) and then send that traffic to the management interface of other firewalls. 

 

Fig 03_palo-alto-networks.jpg.png

Rate this article:
0 Likes Likes
  • 105 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎01-09-2025 11:29 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks