Management Interface outside of firewall

Reply
Highlighted
Not applicable

Management Interface outside of firewall

Knowing that one does not *usually* put a device management interface outside of the firewall, on the public Internet, in the case of PAN gateways is there any severe problem with this? I have a situation where putting the management of these devices on the private management network would require quite a bit of additional configuration, bandwidth use for updates, etc.

The only things that I have confirmed/know are listening are https/ssh/snmp, the first two of which are considered "secure". SNMP can be configured read-only easily enough.

What else would you consider a concern?

Highlighted
L5 Sessionator

Re: Management Interface outside of firewall

Hi Tim,

Following are the services which you can enable or disable on the management interface. You can locate this on Device tab--> setup --> management

Capture.PNG.png

However if you have your management traffic passing through the firewall you can create a security policy to only allow the services that you want. Make sure you still need to get software and dynamic updates from the internet.

Following are the most services which takes management interface for communication unless specified differently. You can access this tab from Device tab--> setup --> services

Capture.PNG.png

Hope this helps.
Thanks

Numan

Highlighted
L3 Networker

Re: Management Interface outside of firewall

This should be ok. Only http, ocsp, https, snmp, ping,telnet, user-id,ssh are available on management interface.

I would not allow 'ping' to allow everyone know its available.

Apart from above services, you can also restrict it to be available from only certain IPs - 'Permitted IPs'

Highlighted
L1 Bithead

Re: Management Interface outside of firewall

Its possible to put the management interface on the outside network or on the Internet. The usual considerations apply - expose only the minimum footprint- only allow the traffic that needs to see it. In this case don't set it to respond to ICMP, only use encrypted protocols (SSL, SSH, etc.), and if at all possible limit the addresses that can login via the permitted IP list.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!