03-26-2015 03:16 PM
Is there a way to restrict access for specific administrators by interface or IP address? I really thought I'd seen this somewhere, but now I cannot find it in GUI or docs.
Quick explanation of what we want to do. We want to have a sort of backdoor, emergency access to the firewalls directly from the Internet. That is, should some catastrophic network event (big misconfiguration or failure of the firewalls themselves, the core network, or remote access devices) break our usual ability to log in via remote access VPN and come into the firewalls' management interfaces, we want to be able to connect directly into the firewalls from the Internet. These firewalls are in a data center, so it's at least a half-hour car ride even during business hours, plus we want our off-site managed services provider to also have this ability.
Usually, we use AD-backed authentication for administrators on the internal network. However, in the event of a failure, the AD servers may not be reachable, plus from a security point of view, using simple username-password authentication does not seem secure enough to face the Internet, even with source IP address restrictions. We would want to have a more secure local authentication method. Luckily, using public-key-based authentication (SSH keys and HTTPS client certs) are both options for local administrator authentication.
So, those local accounts would seem to work out fine, but how do we block regular AD-based authentication from the Internet and allow it for the special local accounts?
03-26-2015 04:03 PM
Hi,
I guess you are looking to configure permitted IP address, that would restrict only those users to access the public interface of the firewall.
You can refer the below document:
Allowing Specific IP Addresses to Access the Palo Alto Network Device
You would have to add the permitted IP addresses in the management profile (Network ->interface management).
Then call this profile in the interface (Network ->interface->advanced) settings.
By doing so, you would be allowing access just to those users associated with the IP addresses.
Regards,
Ramya
03-26-2015 06:02 PM
Hi Cosx,
You can enable HTTPS and SSH on the public facing interface i.e. the untrust interface and specify the permitted ip-address as mentioned in below link.
Allowing Specific IP Addresses to Access the Palo Alto Network Device
To have another layer of security you can also create a security policy from untrust zone to untrust zone and specify which ip-addresses are allowed as source and also mention the HTTPS and SSH application. This helps if you have the intra-zone policy as block i.e. untrust to untrust zone as block.
Thanks,
Nitesh
03-27-2015 09:18 AM
Yes, I can limit source IP addresses at either the Interface Mangement level or within the Security Policy. But any administrator will then be able to access from the allowed IP addresses.
I want to restrict some IP addresses to only certain administrators. For example, the administrator "johndoe" can only access HTTPS or SSH management via the management interface and/or from 10.100.0.0/16. Another user, "joefailsafe," can get in over an Internet-facing interface from <some-public-internet>/29 addresses. Whether joefailsafe also has access via the management interface and internal IPs, I don't care. What I do not want is for johndoe to be able to get in from the Internet at <some-public-internet>/29.
Using the features mentioned in the two previous responses, there is no difference in accessibility for johndoe and joefailsafe. (Again, I'm not sure that there is a way to do this in PANOS. I thought I had seen the feature somewhere, but now I'm pretty sure I must have imagined it or be confusing our firewalls with some other device/OS.)
03-27-2015 10:09 AM
1. You can do this for a admin user from AD, as you can mention the source user as well as the source ip-address in the same security policy which I mentioned in my previous update.
Here are the requirements for it
- user identification needs to be enabled on untrust interface
- AD needs to have the mapping of public ip-address and the user so that firewall can poll that information and map it to the security policy
There can be some drawbacks too:
- Firewall will try to talk to AD to resolve a name for any public ip-address coming on untrust interface.
This is will be a very high process intensive and can also have lot of system logs of failed attempts
2. Firewall might not map a local admin user and its ip-address for access to the firewall itself.
This can be a feature request which can be discussed with your account/sales team.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
