Best Practices for Securing Administrative Access

Learn the best practices for securing administrative access to your firewalls to prevent successful cyberattacks through an exposed management interface.
Protecting your network from cyberattacks begins with a secure firewall deployment. If the network you use to manage your sensitive IT devices—including your Palo Alto Networks next-gen firewalls and Panorama—is not secured properly, you will not be able to detect and defend against vulnerability exploits that could lead to infiltration and/or the loss of sensitive data. The ultimate goal when securing firewall access is to ensure that even if an attacker gains access to privileged credentials, you can still thwart their ability to get in and do damage. Follow these best practice guidelines to ensure that you are securing administrative access to your firewalls and other security devices in a way that prevents successful attacks.
  • Isolate the management network.
    All Palo Alto Networks firewalls provide an out-of-band management port (MGT) that you can use to perform the firewall administration functions. Alternatively, you can choose to use the MGT port for initial configuration, and then configure a data port for management access to the firewall. Either way, because the management interface provides access to your security configuration, you must take the following precautions to safeguard access to this interface:
    Do not enable access to your management interface from the internet or from other untrusted zones inside your enterprise security boundary. This applies whether you use the dedicated management port (MGT) or you configured a data port as your management interface.
    • Isolate the management interface on a dedicated management VLAN.
    • Limit the source IP addresses allowed in to the management network to those of your dedicated management devices, such as a jump server or a bastion host.
    • Use a jump server or bastion host (with screen recording) to provide secure access from your corporate network in to your dedicated management network, and require that users authenticate and are authorized to access your management network.
    • If you don’t have a bastion host, use Authentication Policy with multi-factor authentication (MFA ) to require administrators to successfully authenticate before you allow them to continue to the firewall web interface login page or CLI login prompt. This prevents access to the management interface using stolen credentials or through vulnerability exploits.
    • Limit access to users in your security admin, network admin, or IT user groups, as appropriate for your organization.
    • If you must enable remote access to the management network, require access through a VPN tunnel using GlobalProtect. After administrators successfully establish a VPN tunnel into your VPN zone, they must still authenticate into the management network through your bastion host.
    • Do not use an interface management profile that allows HTTP, HTTPS, Telnet, or SSH on the interface where you have configured a GlobalProtect portal or gateway because this configuration exposes access to the management interface via the internet.
    • If you are using a template to deploy a VM-Series firewall that includes a field for restricting management access to a specific IP address, make sure to supply a CIDR block that corresponds to your dedicated management IP addresses or network. If necessary, modify the corresponding security group to add additional hosts or networks after the template launch. Do not make the allowed source network range larger than necessary and do not ever configure the allowed source as 0.0.0.0/0.
  • Use service routes (DeviceSetupServicesService Route Configuration) to enable the firewall to access services outside of the management network.
    By default, the firewall uses the management (MGT) port to access services—such as DNS servers, NTP servers, and authentication servers—that are on potentially untrusted networks, including services that require internet access, such as Palo Alto Networks Services and AutoFocus. Because your management interface—whether on the MGT port or a data port—must be isolated on the management network, you must use service routes to enable access to these services. When you configure a service route, the firewall instead uses the specified source interface and address to access the services you need. Specify the source IP address/interface for your service route on an interface that does not have management access (HTTPS or SSH) enabled.
    custom-service-route.png
  • Restrict access to the management interface.
    • Restrict the IP addresses that are permitted to access the management interface.
      Even if your firewall is on a dedicated management network that is only accessible by a device on the same VLAN or through a bastion host or VPN tunnel, you can secure the firewall further by restricting the source IP addresses that can access the management interface to those of your administrators. Limiting access to the management interface reduces the attack surface by helping to prevent access from unexpected IP addresses or subnets and prevents access using stolen credentials.
    • Restrict the services that are available on the management interface.
      • Do not allow access over Telnet and HTTP because these services use plaintext and are not as secure as the other services and could compromise administrator credentials. Instead, require administrators to access the firewall interfaces over SSH or HTTPS.
      • Enable ping if you want to be able to test connectivity to the interface, but do not enable any other services on the management interface.
    • The way you configure these settings depends on whether you are using the MGT port or a data port for access to the firewall management interfaces:
      • If you are using the MGT port as your management interface, select DeviceSetupInterfaces and select the Management interface to configure the settings to restrict who can access the management interface and what services the interface allows.
        bp-management-interface-settings.png
      • If you are using a data port as your management interface, after you configure the interface , select NetworkNetwork ProfilesInterface Mgmt and Add an interface management profile to restrict who can access the management interface and what services the interface allows.
        Do not attach an interface management profile that allows Telnet, SSH, HTTP, or HTTPS to an interface where you have configured a GlobalProtect portal or gateway because this will expose the management interface to the internet.
        interface-mgmt-profile-for-mgmt.png
  • Manage administrator access.
    • The firewall is preconfigured with a default administrative account (admin) that provides full read-write access (also known as superuser access) to the firewall. You must change the default admin account password (DeviceAdministratorsadmin) immediately upon initial configuration.
    • Configure a Firewall Administrator Account for each individual who needs access to the administrative or reporting functions of the firewall. This allows you to better protect the firewall from unauthorized configuration (or modification) and to enable logging of the actions of each individual administrator.
    • Assign each administrator account to an admin role profile that limits management privileges to only those functions the individual administrator needs.
    • For any administrators with change privileges, require multi-factor authentication (MFA) using external authentication and authorization using RADIUS or SAML. See Configure Local or External Authentication for Firewall Administrators for details on how to configure external authentication with MFA.
      If available, use privileged account management (PAM) and/or privileged identity management (PIM) solutions to secure administrator credentials externally.
    • Configure a strict password policy, including requiring frequent password changes (DeviceSetupManagementMinimum Password Complexity).
    • Monitor the System logs to identify abnormal account activity on any of your administrator accounts. For example, if the logs show excessive login attempts or repeated logins at certain times of day, this may indicate that an administrative account has been compromised. Also, educate all administrators about how to Use the Administrator Login Activity Indicators to Detect Account Misuse .
  • Scan all traffic destined for the management interface for threats.
    Because security policy and decryption policy do not evaluate management plane traffic, you cannot directly scan the MGT port for threats. If you are using the MGT port as your management interface, consider routing traffic destined for the MGT port through a data port or through another firewall so that you can apply these important security checks to your management traffic.
    • Create security policy rules to allow access to the management interfaces of the firewall and Panorama (web interface or CLI). The way you define the policy depends on whether or not you are using a bastion host to enable access to the management network.
      • If you are not using a bastion host to isolate your management network, create a security policy rule to allow access from the Users zone to the IT Infrastructure zone. This security policy rule must be very granular and specify the source zone, source IP address (if available), and source user group of the user attempting to access the management interface, as well as the destination zone, IP address of the appliance (firewall or Panorama), and the App-ID to identify the specific management application (web interface or CLI) running on the application default port. For example, you would use the panos-web-interface App-ID to allow access to the web interface and the ssh App-ID to allow access to the CLI. You must also attach a Vulnerability Protection profile to the rule, as described in the next section.
        The following example rule allows access from the users zone directly to the IT Infrastructure zone, and restricts access to users in the IT-admins group who are attempting to access the management interface IP address to access the panos-web-interface application on the application-default port only:
        bp-security-policy-mgmt-access.png
      • If you are using a bastion host to enable access to your management network, you need two security policy rules: one rule to allow access from user zone to the bastion host zone and a second rule to allow access from the bastion host zone to the IT infrastructure zone. Again, both of these security policy rules should be as granular as possible and include source zone, address (if available), user and destination zone and address, and the App-ID. Keep in mind that if you are using a bastion host, the user IP address is usually the IP address of the bastion host so you cannot identify the User-ID for the administrator unless you are using the TerminalServicesagent on the bastion host to identify individual users. In this case, you must also attach a Vulnerability Protection profile to both rules, as described in the next section.
        In the example rules that follow, the first rule allows access from the Users zone to the Bastion-host zone for users in the IT-admins group who are attempting to access the specified bastion server IP address over SSH and/or RDP. The second rule allows access to users from the Bastion-host zone to the IT-infrastructure zone attempting to access the panos-web-interface application on the default port on the firewall with the specified destination address.
        bastion-host-rule.png
    • Attach a Vulnerability Protection profile to the security policy rules that allow access in to your management network to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. To create a profile for the purpose of protecting your management interface, clone the strict profile and then change the action for the following vulnerability signatures from the default action to Reset Both: 30998, 40483, and 40484. To change the default action of a signature, on the Exceptions tab, select Show all signatures and then enter the signature for which you want to modify the action in the search box. You can then specify the Action as Reset Both. Repeat this for each signature.
      clone-strict-vuln-profile.png
      Make sure the Vulnerability Protection profile attached to the security policy rules that allow access to your management network are configured with the action to Reset Both for the following signatures: 30998, 40493, and 40484.
    • Configure SSL Inbound Inspection or Configure SSL Forward Proxy for traffic to or from the management interface to ensure that you can scan the traffic for threats. Attach a best practice decryption profile to the decryption policy rule to ensure that you are blocking vulnerable SSL/TLS versions such as TLS 1.0 and SSLv3, and to rejecting sessions using weak encryption algorithms such as RC4 and 3DES, and weak authentication algorithms such as MD5 and SHA1
  • Replace the Certificate for Inbound Management Traffic .
    By default, the firewall ships with a default certificate that enables HTTPS access to the web interface over the management (MGT) interface or any other interface that supports HTTPS management traffic. To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization. Use certificates signed by your enterprise CA so that users won’t learn to ignore certificate warnings. In addition, in the SSL/TLS profile, set the Min version to TLSv1.2.
  • Keep the firewall up-to-date with content and software updates to ensure that you are always protected by the latest security patches and threat updates.

Related Documentation