Yes, I can limit source IP addresses at either the Interface Mangement level or within the Security Policy. But any administrator will then be able to access from the allowed IP addresses. I want to restrict some IP addresses to only certain administrators. For example, the administrator "johndoe" can only access HTTPS or SSH management via the management interface and/or from 10.100.0.0/16. Another user, "joefailsafe," can get in over an Internet-facing interface from <some-public-internet>/29 addresses. Whether joefailsafe also has access via the management interface and internal IPs, I don't care. What I do not want is for johndoe to be able to get in from the Internet at <some-public-internet>/29. Using the features mentioned in the two previous responses, there is no difference in accessibility for johndoe and joefailsafe. (Again, I'm not sure that there is a way to do this in PANOS. I thought I had seen the feature somewhere, but now I'm pretty sure I must have imagined it or be confusing our firewalls with some other device/OS.)
... View more