• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Rowell Dionicio

Get Techie With It

  • Home
  • About
  • Resources
    • Archives
    • Book List
    • YouTube
  • Learn
    • DevNet Associate
    • PCNSA Certified
  • Blog
  • Contact
  • Show Search
Hide Search

Firewall Management Interfaces – PCNSA

January 2, 2022 By Rowell Leave a Comment

I just finished up the PCNSA Study Guide and now I’m going back to review and lab as much as possible.

Gaining access to a Palo Alto Networks firewall is an obvious task in order to manage the firewall. There are different ways to manage the firewall and I’ll review some of them below.

Management Methods

There are four ways to manage a Palo Alto Networks firewall:

  • Web interface
  • CLI
  • Panorama
  • XML API

You’re most likely to use the out-of-band management port on the firewall which is on the control plane.

There’s also a serial/console port available. I normally connect something like an OpenGear console server.

Management tasks such as license retrieval and updates of threat and application signatures are are done through the management port.

Let’s talk a little bit more about the management methods

  • To use the web interface, you’re browsing to management IP address over HTTP or HTTPS. Preferably, the latter
  • Using CLI, you’re opening a terminal application on your computer and using SSH to gain access over the management port. Or you could be using the terminal application to gain access over the console port. Once authenticated, you’ll configure the firewall using commands
  • Panorama is a centralized method to managing multiple firewalls
  • XML API uses the REST-based interface for firewall configuration and more. Just take a look at the API browser by navigating to the URL of your firewall slash api.
  • With the API, you can automate several tasks such as creating, updating, and modifying configurations, execute operational commands, and more.

Interface Management Profiles

It is possible to use a data interface to manage the firewall. It’s a good backup to the management interface in case it is down or not accessible.

A data interface can have different services binded to them such as

  • HTTPS
  • SSH
  • Ping
  • Telnet
  • HTTP
  • SNMP

It’s the interface management profile that protects your firewall from unauthorized access. You can control what service can be used on an interface and permit specific IP addresses for that service.

By default, the firewall will deny management access for all IP addresses, protocols and services so you must define what is accessible through the Interface Management Profile.

You can assign a Interface Management Profile to Layer 3 Ethernet interfaces, subinterfaces, and logical interfaces.

For example, my firewall has an IP address on it’s public facing interface. Currently, there’s no Interface Management Profile configured. That means I cannot ping that IP at the moment but I want to allow ping.

I will create a new Interface Mgmt profile and name it Untrust Mgmt Profile. I will only allow Ping under Network Services and I will permit any IP address to ping the firewall.

Interface Management Profile configuration

Next, click OK and go to the public facing interface which is ethernet1/1 on my PA-820.

Interfaces

Click on the Advanced tab.

On the dropdown for Management Profile, select Untrust Mgmt Profile.

Adding the Interface Management Profile

Click OK and commit.

Now I can ping the firewall’s IP on ethernet1/1.

Share this:

  • Facebook
  • LinkedIn
  • Twitter

Related

Filed Under: Certifications Tagged With: palo alto networks, pcnsa

About Rowell

Wi-Fi expert. Coffee addict ☕️. Tech nerd. Business owner.

Reader Interactions

Leave a Reply Cancel reply

Primary Sidebar

Recent Posts

  • Passed Palo Alto Networks Certified Security Administrator (PCNSA)
  • 5 Years Running
  • Q4 2021 and Yearly Income Report
  • I PASSED JNCIA-MistAI
  • Admins and Role-Based Access Control – PCNSA

Categories

  • bschool
  • Certifications
  • Coding
  • DevNet Associate
  • Events
  • Lab
  • Networking
  • Personal
  • Podcasting
  • Professional
  • Reviews
  • Security
  • Short Stories
  • Uncategorized
  • Wireless

Archives

  • May 2022
  • January 2022
  • December 2021
  • November 2021
  • August 2021
  • July 2021
  • April 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • November 2018
  • September 2018
  • August 2018

Copyright © 2022 · Written by Rowell Dionicio · You're awesome.

 

Loading Comments...