I just finished up the PCNSA Study Guide and now I’m going back to review and lab as much as possible.
Gaining access to a Palo Alto Networks firewall is an obvious task in order to manage the firewall. There are different ways to manage the firewall and I’ll review some of them below.
Management Methods
There are four ways to manage a Palo Alto Networks firewall:
- Web interface
- CLI
- Panorama
- XML API
You’re most likely to use the out-of-band management port on the firewall which is on the control plane.
There’s also a serial/console port available. I normally connect something like an OpenGear console server.
Management tasks such as license retrieval and updates of threat and application signatures are are done through the management port.
Let’s talk a little bit more about the management methods
- To use the web interface, you’re browsing to management IP address over HTTP or HTTPS. Preferably, the latter
- Using CLI, you’re opening a terminal application on your computer and using SSH to gain access over the management port. Or you could be using the terminal application to gain access over the console port. Once authenticated, you’ll configure the firewall using commands
- Panorama is a centralized method to managing multiple firewalls
- XML API uses the REST-based interface for firewall configuration and more. Just take a look at the API browser by navigating to the URL of your firewall slash api.
- With the API, you can automate several tasks such as creating, updating, and modifying configurations, execute operational commands, and more.
Interface Management Profiles
It is possible to use a data interface to manage the firewall. It’s a good backup to the management interface in case it is down or not accessible.
A data interface can have different services binded to them such as
- HTTPS
- SSH
- Ping
- Telnet
- HTTP
- SNMP
It’s the interface management profile that protects your firewall from unauthorized access. You can control what service can be used on an interface and permit specific IP addresses for that service.
By default, the firewall will deny management access for all IP addresses, protocols and services so you must define what is accessible through the Interface Management Profile.
You can assign a Interface Management Profile to Layer 3 Ethernet interfaces, subinterfaces, and logical interfaces.
For example, my firewall has an IP address on it’s public facing interface. Currently, there’s no Interface Management Profile configured. That means I cannot ping that IP at the moment but I want to allow ping.
I will create a new Interface Mgmt profile and name it Untrust Mgmt Profile. I will only allow Ping under Network Services and I will permit any IP address to ping the firewall.
Next, click OK and go to the public facing interface which is ethernet1/1 on my PA-820.
Click on the Advanced tab.
On the dropdown for Management Profile, select Untrust Mgmt Profile.
Click OK and commit.
Now I can ping the firewall’s IP on ethernet1/1.
Leave a Reply