Palo Alto Networks: How to configure Interface Management Profile

1. Goal of the article

You need a feature to prevent users from accessing the admin page of the Palo Alto firewall using the web, but still allow access to it using the SSH protocol.

The Interface Management Profile feature will meet those needs for you.

In this article techbast will guide you how to configure Interface Management Profile.

2.Diagram

Details:

  • The internet connection will be connected at port ethernet1/1 with IP 192.168.2.115/24.
  • The LAN will be configured at ethernet1/2 port with IP 10.145.41.1/24 and configured with DHCP.
  • Finally, PC A is connected to the ethernet1/2 port and receives the assigned IP from the DHCP Server as 10,145.41.3/24.

3.Scenario

We will configure the Interface Management Profile so that PC 1 can access and configure the Palo Alto firewall via SSH on the ethernet1/2 port and lock the HTTPS service on the ethernet1/2 port so that PC 1 cannot access it by web admin page.

4.What to do

  • Create Interface Management Profile
  • Assign Interface Management Profile to ethernet1/2 port
  • Result

5.Configuration

5.1.Create Interface Management Profile

By default, when a network port is configured on Palo Alto, it will block access to all services.

So to open the service on a port we need to create an Interface Management Profile.

To create it, go to Network > Interface Mgmt > click Add and create according to the following information.

  • Name: Allow SSH
  • Administrative Management Services: check SSH
  • Network Services: uncheck all
  • Permitted IP Addresses: In this table, you can add the computer’s IP, when added, only this IP can access the allowed services that we have selected above. In this article, this section will be left blank.
  • Click OK to save.

Click Commit and OK to save the configuration changes.

5.2. Assign Interface Management Profile to ethernet1/2 port

To assign to Network > Interfaces > Click on the name ethernet1/2 > Advanced.

At Management Profile select Allow_SSH just created from the list and click OK to save.

Click Commit and OK to save the configuration changes.

5.3. Result

We will go to PC 1 and try to access the firewall’s admin page using the web.

As a result, we cannot access because the https service has been disabled on this port.

Next we will try to access the firewall using SSH and check the results.

As shown in Figure 1 PC 1 can access the firewall using SSH because the service is open on the ethernet1/2 port.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.