Use Interface Management Profiles to Restrict Access
An Interface Management profile protects the firewall from unauthorized access by defining the protocols, services, and IP addresses that a firewall interface permits for management traffic. For example, you might want to prevent users from accessing the firewall web interface over the ethernet1/1 interface but allow that interface to receive SNMP queries from your network monitoring system. In this case, you would enable SNMP and disable HTTP/HTTPS in an Interface Management profile and assign the profile to ethernet1/1.
You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). If you do not assign an Interface Management profile to an interface, it denies access for all IP addresses, protocols, and services by default.
The management (MGT) interface does not require an Interface Management profile. You restrict protocols, services, and IP addresses for the MGT interface when you Perform Initial Configuration of the firewall. In case the MGT interface goes down, allowing management access over another interface enables you to continue managing the firewall. However, as a best practice, use additional methods besides Interface Management profiles to prevent unauthorized access over that interface. These methods include role-based access control and access restrictions based on VLANs, virtual routers, or virtual systems.
Configure and Assign an Interface Management Profile
Configure the Interface Management profile. Select Network > Network Profiles > Interface Mgmt and click Add. Select the protocols that the interface permits for management traffic: Ping, Telnet, SSH, HTTP, HTTP OCSP, HTTPS, or SNMP. Select the services that the interface permits for management traffic: Response Pages —Use to enable response pages for: Captive Portal —To serve Captive Portal response pages, the firewall leaves ports open on Layer 3 interfaces: port 6080 for NT LAN Manager (NTLM), 6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect mode. For details, see Configure Captive Portal. URL Admin Override —For details, see Configure URL Admin Override. User-ID —Use to Configure Firewalls to Redistribute User Mapping Information. User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP —Use to Configure User-ID to Receive User Mappings from a Syslog Sender over SSL or UDP. ( Optional ) Add the Permitted IP Addresses that can access the interface. If you don’t add entries to the list, the interface has no IP address restrictions. Click OK.
Assign the Interface Management profile to an interface. Select Network > Interfaces, select the type of interface ( Ethernet, VLAN, Loopback, or Tunnel), and select the interface. Select Advanced > Other info and select the Interface Management Profile you just added. Click OK and Commit.

Related Documentation