Professional Documents
Culture Documents
10.1
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
May 12, 2022
Administrative Access Best Practices 10.1 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Administrative Access Best Practices........................................................... 5
Plan Administrative Access Best Practices............................................................................6
Deploy Administrative Access Best Practices...................................................................... 8
Select the Management Interface................................................................................8
Manage Administrator Access....................................................................................12
Isolate the Management Network.............................................................................16
Restrict Access to the Management Interface....................................................... 18
Replace the Certificate for Inbound Traffic Management................................... 21
Keep Content and Software Updates Current....................................................... 21
Scan All Traffic Destined for the Management Interface.................................... 21
Maintain Administrative Access Best Practices.................................................................24
Administrative Access Best Practices 10.1 3 ©2023 Palo Alto Networks, Inc.
Table of Contents
Administrative Access Best Practices 10.1 4 ©2023 Palo Alto Networks, Inc.
Administrative Access Best
Practices
No network security system is secure if you don’t lock down administrative access to network
devices. This is especially true for firewalls and security management devices such as Panorama
because they are the gatekeepers and protectors of your network. Attackers who gain
administrative access to these devices can reconfigure them in order to permit malicious access to
your network remotely, facilitate the distribution of malware to endpoints, and even lock you out
of your own network.
To safeguard your network from such attacks, follow the best practices in this document—scan
administrative traffic for threats, and secure administrator and programmatic access to device
management, the management network, and the management interface.
This document contains a streamlined checklist of planning, deployment, and maintenance best
practices so that you can secure administrative access to your PAN-OS firewall and Panorama
devices. Each section includes links to detailed information in the PAN-OS Admin Guide that
shows how to configure different aspects of administrative access in case you’re not familiar with
some of the procedures.
This best practice guide is written from the point-of-view of a new deployment to show how to
create a secure management network and configure secure access to firewall and Panorama
management interfaces. However, many enterprises have an existing management security strategy
and implementation. For existing deployments, these are the recommended best practices to migrate to
and to keep in mind if you overhaul your management network security. If you haven’t adopted these
best practices in an existing framework, adopt them if possible to tighten security around administrative
access.
• Plan Administrative Access Best Practices
• Deploy Administrative Access Best Practices
• Maintain Administrative Access Best Practices
5
Administrative Access Best Practices
Administrative Access Best Practices 10.1 6 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
Audit, list, and understand all programmatic access requirements that leverage the firewall and
Panorama APIs. For example:
• Network-as-code and policy-as-code tools that modify the configuration, such as Ansible or
Terraform.
• Rulebase analysis and audit tools.
• PAM/PIM tools.
• DNS, DHCP, and IPAM (DDI) tools.
• IT operations and service management tools.
• In-house scripts and tools.
• Any other programmatic access to the management interface.
For each required programmatic access, list:
• Admin accounts used.
• Method of access (HTTPS, SSH, or API).
• Source IP address or network of the access.
Filter the System logs for administrative login events to help with auditing existing
programmatic access.
Ensure that your architecture enables you to inspect and log all inbound management traffic
and to regularly monitor the traffic for suspicious activity.
To ensure that you can connect to and manage critical devices, including firewalls and
Panorama, during power outages and other events that prevent the use of normal
communication channels, design and implement an access strategy for business continuity.
Administrative Access Best Practices 10.1 7 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
If you are deploying a firewall for the first time, you must perform the initial configuration
using the MGT port.
Administrative Access Best Practices 10.1 8 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
You cannot apply Security policy rules directly to traffic that ingresses the dedicated MGT port.
However, you can route incoming traffic for the MGT port through a DP port to decrypt and
inspect the traffic. You can use a variety of methods to route incoming MGT port traffic for
inspection, such as:
• Looping back through a local DP port on the same device (MP to DP connection).
• Connecting to a DP port on another firewall.
• Leveraging upstream routing/switching infrastructure to provide the appropriate isolation and
the appropriate inspection by firewalls.
When you use a DP port to inspect traffic destined for the MGT port, do not enable management
protocols on the DP port. Enable management protocols only on the MGT port. Understand the
external services and service routes for which you will need to set up access
If you can’t route traffic destined for the MGT port through a DP port interface on another
firewall for inspection, configure a dedicated DP port to be the management interface so that
you can use Security policy to inspect the inbound management traffic. If you use the DP port as
the management interface, isolate it as described in this section. Using a DP port as the isolated
management interface trades consuming a production port for safeguarding management traffic.
If you choose to route inbound management traffic to the MGT port without prior
inspection, understand the risks of not inspecting the traffic, which include unauthorized
access to device management, potential malicious activity, and unblocked threats. The
best practice is always to inspect inbound management traffic because it controls and
configures your device.
Management networks that include more than one firewall (and Panorama)—Use the MGT
port as the management interface.
Route incoming management traffic through an isolated DP interface on a different firewall
first and use Security policy to inspect the traffic before forwarding it to the MGT port. This
method enables you to inspect and control traffic without consuming a dedicated DP port.
To use a DP port on a different firewall to inspect MGT port traffic before forwarding that
traffic to the managed firewall:
Configure a dedicated subinterface and a dedicated VLAN to isolate the traffic on the
inspecting firewall’s DP port. Allow only management traffic on that subinterface and in that
VLAN. Using a dedicated management subinterface with a dedicated management VLAN
enables you to use the rest of the port’s bandwidth for production traffic while still isolating
the management network traffic.
Configure Security policy rules (see Scan All Traffic Destined for the Management Interface)
that restrict access to the management interface based not only on IP addresses, but also
Administrative Access Best Practices 10.1 9 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
on users (User-ID), applications (App-ID), and zones, and attach a best practice Vulnerability
Protection profile.
A number of network architectures enable inspecting traffic destined for the management
port, many of which depend on company-specific needs. The following topology diagrams
show two common high-level architecture examples of using a DP port on one firewall to
inspect traffic destined for the MGT port of a firewall in the management network. Both
architectures have these common components:
• A firewall administrator attempting to access a device. Administrators who are external to
the network access the network using a VPN.
• A bastion host that authenticates the administrator to prevent unauthorized access to the
management network and management devices.
• A firewall with a dedicated subinterface and a dedicated VLAN on a DP port to isolate the
management traffic. The firewall inspects management traffic before the traffic enters the
management network. No management protocols are enabled on the DP port.
• An isolated management network, protected by the bastion host and the inspecting firewall.
• A device that the administrator manages using the MGT port.
After each diagram is a description of its packet flow.
Packet Flow
1. The firewall administrator (1) uses a VPN connection to attempt to log in and manage a
firewall (5)
2. The bastion host (2) authenticates the administrator’s credentials.
3. If authentication succeeds, the bastion host (2) creates a new session and forwards the
traffic to the inspecting firewall (3), which protects the management network. The firewall
decrypts and inspects the traffic.
4. If Security policy on the inspecting firewall (3) allows the administrator to access the
firewall (5) in the management network, the inspecting firewall (3) forwards the traffic to
the management network (4) and is restricted to connecting only to the device (5) that
the administrator needs to manage. Security policy rules determine which devices the
administrator can access, from where, using which applications, and even when, and how to
Administrative Access Best Practices 10.1 10 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
inspect the traffic. Role-based access profiles control the privilege level the administrator
has on each device.
5. All subsequent traffic between the administrator (1) and the managed device (5) is
inspected (3) for threats.
Packet Flow
1. The firewall administrator (1) uses a VPN connection to attempt to log in and manage a
firewall (5)
2. The administrator’s traffic reaches the inspecting firewall (2) that protects the management
network. The firewall decrypts and inspects the traffic, and then forwards it (A) to the
bastion host (3).
3. The bastion host (3) authenticates the administrator’s credentials.
4. If authentication succeeds, the bastion host (3) creates a new session and forwards it (B)
back to the inspecting firewall (2), where the traffic is inspected again.
5. If Security policy on the inspecting firewall (2) allows the administrator to access the
firewall (5) in the management network, the inspecting firewall (2) forwards the traffic to
the management network (4) and is restricted to connecting only to the device (5) that
the administrator needs to manage. Security policy rules determine which devices the
administrator can access, from where, using which applications, and even when, and how to
inspect the traffic. Role-based access profiles control the privilege level the administrator
has on each device.
6. All subsequent traffic between the administrator (1) and the managed device (5) is
inspected (2) for threats.
Management networks in which you cannot use another firewall’s DP port to inspect inbound
MGT port traffic—Dedicate one of the firewall’s DP ports as the management interface so
that you can apply Security policy to inspect and control management traffic (do not use the
Administrative Access Best Practices 10.1 11 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
MGT port as the management interface). Do not allow any traffic on the DP port other than
management traffic.
The tradeoff is best security against not being able to use one DP port as a production port.
If you can’t dedicate a firewall DP port to management traffic and must use the out-of-band
MGT port, understand the risks and follow the rest of the best practices in this document to
isolate the management network and restrict administrator and service access to only those
that require access to manage the device.
When you can’t use a DP port interface on a different firewall to inspect the traffic,
dedicate a firewall DP port to management traffic or you won’t be able to apply
Security policy or Threat profiles to inbound management traffic. That means you can’t
inspect traffic, apply Vulnerability Protection profiles, or use Security policy to restrict
MGT port access in a granular manner. You can use a loopback interface or another
method to route the traffic from the MGT port to a DP port on the same firewall, but
you still need to dedicate the DP port to the management traffic to isolate it on the
device.
Administrative Access Best Practices 10.1 12 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
Institute of Standards and Technology (NIST) or local regional standards bodies, and
applicable compliance regulations. Set the Administrator Type as Dynamic and Superuser.
Log out of the firewall or Panorama and then log back in with the new, more secure local
admin account that you just configured.
Delete the default admin account so that your new local superuser account is the only local
account on the device. In Device > Administrators, select the default admin account and
then Delete the account.
Store the new local login and password credentials in the safest storage your enterprise has
available in case emergency access is required.
If for business reasons you must have more than one local account on the firewall,
follow the best practices for password construction and usage later in this section.
However, multiple local admin accounts are not a security best practice because
each local account increases the risk of credential compromise resulting in
unauthorized access.
STEP 2 | For all management access other than the default local administrator account, including
API access, Configure a Firewall Administrator Account, use an external authentication
system (see Configure Local or External Authentication for Firewall Administrators) with
a password manager that generates passwords automatically and configure Multi-Factor
Authentication (MFA) to prevent the unauthorized use of stolen credentials. The mandatory
local superuser account is the only local account that you should have on the device (to use
in case of emergency).
NIST Special Publication 800-63B Digital Identity Guidelines describes standard best practices
for digital authentication management in the U.S. Other regions may have local entities that
provide standard best practices.
If you cannot implement the best practice of using an external authentication system
and must configure local administrators, Configure Certificate-Based Administrator
Authentication to the Web Interface and Configure SSH Key-Based Administrator
Authentication to the CLI to increase security. Always use MFA to protect against
compromised credentials.
Enable MFA for all management access with external authentication and authorization using
RADIUS or SAML and corporate credentials (use your existing authentication system if you
have one). If available, use privileged account management (PIM) and/or privileged identity
management (PIM) solutions to secure credentials externally.
If you have a strong authentication system using smart cards, Configure Certificate-
Based Administrator Authentication to the Web Interface and Configure SSH Key-
Based Administrator Authentication to the CLI. If your system can’t use MFA, import the
certificate from the SAML provider to ensure secure access. If you manage certificates
through a cloud provider, use client certificates to provide secure login access. Use client
certificates for on-premise access to help protect servers against DoS attacks.
Ensure that the password manager follows industry recommendations for constructing
strong passwords, such as those published by NIST in NIST Special Publication 800-63B
Digital Identity Guidelines and Easy Ways to Build a Better P@$5w0rd, and follow
Administrative Access Best Practices 10.1 13 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
compliance regulations. Some regions may have local entities that require compliance
regulations.
Follow industry password usage best practices such as those published by NIST (or local
standards authorities and compliance regulations).
Change the master key on the device to prevent the default master key from being
compromised and used to decode passwords. Take the following actions when you change
the master key:
Back up your configuration before you change the master key.
In HA firewall configurations (standalone or Panorama-managed), disable Config Sync on
both firewalls before you change the master key, and then configure the same master
key on both devices before you re-enable Config Sync.
On Panorama, WildFire and Log Collector devices must use the same master key as
Panorama.
Resetting the master key results in down time, so do it during a normal maintenance
period.
As with the local admin account, store the master key in the safest storage your
enterprise has. You need the current master key to reset the master key (periodically
reset the master key because eventually it runs out of unique encryptions). If you lose
the master key, the only way to reset it is to reset the system to the factory default.
If you lose the master key and factory reset the device and the default master
key was changed before the reset, your backed up configuration won’t work on
the device after the reset because the master key is different.
Securing API access is similar to securing administrator access. The main difference is that
after you configure administrator accounts and role-based access control (RBAC, see Step
4), you generate an API key, which contains an API’s authentication details, and use the key
for subsequent API access instead of submitting the username and password credentials
every time.
Using API keys is a best practice because it enables you to Configure API Key Lifetime to
enforce regular key rotation and harden your security posture. When you enable API key
lifetimes on firewalls or Panorama, ensure that the systems and scripts which access those
Administrative Access Best Practices 10.1 14 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
devices update their API keys at the end of the configured lifetime to prevent disrupting
access.
For SNMP access, if your infrastructure supports it, use SNMPv3 instead of SNMPv2c.
SNMPv3 has many security improvements that are best practices to implement. SNMPv3:
• Enables granular, per-manager and per-agent access to MIB objects, so you can restrict
access to the areas that the manager or agent needs to access. (SNMPv2c gives access to
all MIBs to all managers and agents.)
• Enables granular, per-manager and per-agent authentication requirements.
• Provides encryption instead of transmitting data in cleartext and has stronger hashing
algorithms.
Create the appropriate SNMP accounts and configure the firewall or Panorama to
communicate with the SNMP Manager to Monitor Statistics Using SNMP.
You can route SNMP traffic through the MGT port or through a DP port (must be a layer 3
Ethernet interface). If you use the MGT port, first send inbound traffic through a DP port
on the same firewall or on another firewall so that you can control and inspect the incoming
traffic using Security policy rules. Create a dedicated subinterface and a dedicated VLAN on
the DP port to isolate the SNMP traffic.
If you use SNMP to manage routers or switches that are behind the firewall,
configure the appropriate Security policy rule to allow the traffic.
STEP 3 | Limit access to users and services that manage the firewall.
Only allow access for people and services that need to manage the device.
STEP 4 | Assign an Admin Role Profile (Device > Admin Roles) to each administrator or group or
department of administrators who have the same role and to each service or group of
services that require the same access. Configure each profile sot that it limits access to only
the areas of the device that each administrator, group of administrators, service, or group
of services manages. Create individual, unique accounts for each administrator and for each
service (for example, Terraform, Ansible, Tufin, etc.).
Configure administrative access only for people and services that need to manage the
device.
Configure a unique firewall administrator account for each administrator and for each
service so that you can control and identify them individually. Administrative Role Types
describes the access roles you can assign to administrators. Don’t use the same account for
more than one administrator or for more than one service. API access for services works
similarly to access for human administrators, including using role-based access.
Apply the appropriate Admin Role Profile to each individual account.
Configure Admin Role Profiles and apply them to individual administrator and
service accounts to control access privileges granularly. Profiles determine what the
administrator(s) or service(s) can do and how they can do it (CLI, API, UI). Configure
Administrative Access Best Practices 10.1 15 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
each profile to limit administrative privileges to only the areas of the device that an
administrative group, department, individual, or service needs to manage. Do not over-
provision administrators or services; allow only the required access privileges. Reference:
Web Interface Administrator Access describes the web access privileges that you can assign
or deny to administrators on the firewall and on Panorama.
In Panorama, Configure Access Domains to control administrative access to specific Device
Groups, templates, Log Collector Groups, etc.
Add a Commit Description when you commit changes so that others can understand the
reason for the change or addition.
STEP 5 | Configure a login timeout (Idle Timeout) to prevent administrators from leaving idle sessions
open too long, specify a number of Failed Attempts to prevent brute force attempts to log
in, and specify a Lockout Time to prevent further immediate access attempts after reaching
the Failed Attempts limit.
Configure global timeout settings for the device in Device > Setup > Management >
Authentication Settings or configure more granular settings for Failed Attempts and
Lockout Time in Device > Authentication Profile.
Check NIST Special Publication 800-63B Digital Identity Guidelines or local regional
standards bodies or applicable compliance regulations for recommended settings.
If you allow API access, Configure API Key Lifetime based on what makes sense for your
deployment to enforce regular key rotation—don’t over-provision the key lifetime.
STEP 6 | Configure Administrator Activity Tracking and send the logs to an external server for
auditing and monitoring.
STEP 7 | Configure System logs and use Log Forwarding to send them to an external server for
auditing and monitoring. Use a method that notifies administrators of events so that they can
take action in a timely manner.
STEP 8 | Use the Administrator Login Activity Indicators to Detect Account Misuse such as a high
number of failed login attempts.
STEP 9 | Enforce audit comments in policy rules so that you can understand why an administrator
created or modified a rule.
Enable access to the management interface only from within your dedicated management
network. Do not enable access to your management interface from the internet or from
other zones inside your enterprise security boundary.
STEP 1 | Use a bastion host (or a similarly hardened host dedicated only to management network
access) with screen recording and the strongest authentication and access control to provide
Administrative Access Best Practices 10.1 16 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
secure external access to your dedicated management network. Figure 1 and Figure 2 show
example topologies with a bastion host.
Only allow external connections to the firewall management interface from the bastion host
so that all incoming management traffic is authenticated, regardless of whether that traffic
originates in the internet or in a non-management zone in your internal network. This makes
the secure bastion host the only authentication gateway to the management network. It
also makes the bastion host’s IP address(es) and the secure management network the only
IP addresses that need to access the management interface. Only allow access to device
management ports from the management network zone—do not enable direct access from
the internet or from any other zones.
For example, external administrators and services can use a VPN to authenticate to and
access the management network through the bastion host. After logging in to the bastion
host, with the proper permissions, the administrator or service can then log in to the firewall
or Panorama.
STEP 2 | Enable access to the management network only from the management zone (including the
bastion host). Do not allow direct access to the management network from the internet or
other zones.
Administrative Access Best Practices 10.1 17 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
STEP 2 | Configure management interface settings to restrict the available services and to restrict the
allowed IP addresses.
1. If you use the MGT port as the management interface (mandatory on Panorama),
configure Management Interface Settings (Device > Setup > Interfaces > Management)
to restrict the services and IP addresses available on the management interface.
Enable HTTPS and SSH, and if you want to test connectivity to the device or use
monitoring and scanning tools, enable ping. Do not allow cleartext protocols (HTTP,
Telnet).
Administrative Access Best Practices 10.1 18 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
the border guard for your management network, allow only IP addresses in the
management network to access the management port.
Because you must use the MGT port as the Panorama management
interface, you may need to specify IP addresses to allow the necessary
services to access the device. You also may need to open Ports Used for
Panorama to allow necessary services. Allow only the IP addresses and open
only the ports for required services and follow the principle of least privilege
access.
Route incoming MGT port traffic to a DP interface on another firewall or on the same
firewall (as described in Select the Management Interface with the examples Figure
1 and Figure 2) so that you can apply Security policy to the traffic. Do not configure
management protocols on the DP interface you use to inspect the traffic destined for
the MGT port. Configure the same type of Security policy rule for inbound traffic as
described in Step 3 in Scan All Traffic Destined for the Management Interface.
For SNMP access, follow the recommendations here.
2. If you use a firewall DP port as the management interface, configure an Interface
Management Profile (Network > Network Profile > Interface Mgmt) to restrict the
services and IP addresses available on the management interface.
Enable only the services that you require to manage the device (principle of least
privilege access). For example, enable HTTPS for web UI access and SSH for CLI
access. If you want to test connectivity to the device or use monitoring and scanning
tools, enable ping. If you use the management port for SNMP, enable SNMP, etc. Do
not allow cleartext protocols (HTTP, Telnet).
Administrative Access Best Practices 10.1 19 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
anything else that originates outside of the dedicated management network to access
the management interface directly.
If you have Panorama devices that manage firewalls in different networks, treat the
traffic similarly to other external traffic—inspect the traffic and limit connectivity
following the principle of least privilege access (Ports Used for Management
Functions describes the ports and protocols for management functions).
STEP 3 | Allow access using only the most secure version of Transport Layer Security (TLS) encryption
and most secure encryption settings.
If you use the MGT port as the management interface, Configure an SSL/TLS Service
Profile (Device > Certificate Management > SSL/TLS Service Profile) that uses strong
encryption to restrict access to the web interface and protect against weak protocols.
Set the Min Version to TLSv1.2 and the Max Version to Max. Setting TLSv1.2 as the Min
Version automatically blocks the weak 3DES and RC4 encryption algorithms and MD5
authentication algorithm.
Depending on applicable compliance regulations, you may want to block other
authentication, encryption, and key exchange algorithms, which you can do in the CLI using
the configuration command set shared ssl-tls-service-profile <profile-
name> protocol-settings.
Configure an SSH Service Profile (Device > Certificate Management > SSH Service
Profile and Add a management server profile) to restrict SSH access to the CLI to only the
encryption cipher, authentication, and key exchange algorithms that meet your compliance
regulations. If you don’t configure this profile, all algorithms are allowed, including weak
encryption algorithms that you should block.
STEP 4 | As described in Step 5 of Manage Administrator Access, prevent brute force attacks on
administrator logins and prevent leaving idle sessions open too long.
STEP 5 | Treat external services such as DNS, NTP, authentication, and Palo Alto Networks Services
the same way that you treat other external traffic destined for the MGT port: run the traffic
through a firewall DP port to inspect it before it reaches the MGT port.
By default, the firewall uses the dedicated MTG port to access services that are outside of
the management network. If you can’t access the required services through the management
network and inspect them, Configure Service Routes (Device > Setup > Services > Service
Administrative Access Best Practices 10.1 20 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
Route Configuration) that use a DP port instead of the MGT port so that you can inspect the
traffic. When you configure services routes:
Follow the principle of least privilege access and allow only the services you need.
Create a dedicated subinterface and a dedicated VLAN on the DP interface to isolate the
services traffic.
Customize service routes by specifying a source interface and source address on the
firewall or Panorama that does not have management access enabled.
Apply Security policy to the traffic (see Scan All Traffic Destined for the Management
Interface).
Use App-ID in Security policy to ensure that only the required service applications
are allowed. There are App-IDs for many common services (such as DNS) that you
can use to lock down access and prevent unnecessary applications from accessing
the device.
Some services, such as SNMP, cannot use service routes. For these services, the
same advice applies: before the traffic reaches the MGT port, run the traffic
through a firewall DP port on a dedicated subinterface and a dedicated VLAN to
isolate the traffic, and apply Security policy to control and inspect the traffic.
STEP 2 | Read the latest Release Notes before you upgrade PAN-OS.
STEP 3 | Follow Best Practices for Applications and Threats Content Updates when updating to the
latest content release version.
Administrative Access Best Practices 10.1 21 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
STEP 1 | Create Security policy rules to allow access to the web and CLI interfaces.
If you use a bastion host as the only gateway to your management network, configure a rule
to allow traffic from the bastion host to the managed device. Configure rules to allow traffic
from necessary users and services within the management network (restricted to only the
necessary applications, etc.).
If you do not use a bastion host, create the required rules to allow access only from the
management zone, using only the necessary applications and allowing only the necessary
users or services. All management traffic should come from within the management zone.
Inspect traffic entering the network from a VPN or other secure tunnel before it enters the
management zone.
STEP 2 | Create a best practice Vulnerability Protection profile by cloning the preconfigured strict
Vulnerability profile and then modifying it so that it only scans the signatures from the
requesting server.
After you clone and modify the best practice Vulnerability Protection profile, delete the
profile rules that have client as the Host Type because you only need to scan the inbound
traffic.
Attach the Vulnerability Protection profile to every Security policy rule that controls
inbound access to the management interface.
STEP 3 | Tighten each Security policy rule to allow only the necessary users, services, and
applications.
Allow only the IP addresses you specified in the Interface Management Profile.
Specify the management network zone(s) as both the source and destination zones (both
the bastion host and the device’s management port are in the management network
zone(s)).
Allow only the applications and services that you need to manage the device (use App-ID).
Specify user groups and/or individual users (you must implement User-ID).
Include the modified best practice Vulnerability Protection profile (Step 2).
Log traffic that matches the rule (this is enabled by default) and forwards logs to external
log storage to be available for analysis (you must Configure Log Forwarding).
If temporary access is required, for example for a contractor, configure a non-recurring
schedule (Objects > Schedules) to specify when that access is allowed and when it stops.
Attach the schedule to the Security policy rule that allows the temporary access.
Administrative Access Best Practices 10.1 22 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
STEP 4 | Decrypt inbound traffic to the management interface so the firewall can inspect it. If you use
the MGT port as the management interface, you must first route the traffic through the DP
port of a firewall to decrypt and inspect the traffic (see Select the Management Interface).
Apply an SSL Inbound Inspection Decryption profile to the traffic.
Follow Decryption Best Practices to eliminate weak ciphers and algorithms based on
applicable compliance regulations.
Do not decrypt management or service route traffic from the firewall to Panorama.
Do not configure SSL Forward Proxy decryption to decrypt outbound management
traffic from the firewall or Panorama.
Administrative Access Best Practices 10.1 23 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
STEP 2 | When services or API access for management tools changes, update Security policy rules
that allow access accordingly.
Similar to changes in administrative personnel, in firewall and Panorama Security policy and for
access to the management network, ensure that you:
Remove access privileges for services and tools that you no longer use.
Add access privileges for new services and tools using the most granular policy to permit
only the necessary connection (principle of least privilege access).
Administrative Access Best Practices 10.1 24 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
STEP 3 | Monitor System logs for administrators to identify abnormal account activity, especially
for administrators with roles that permit changing key areas such as management access,
administrative users, or Security policy.
Configure Log Forwarding for specific log events and types. Use a method that notifies
administrators of events so that they can take action in a timely manner. Abnormal activity
may indicate a compromised administrator account. Look for activity such as:
An excessive number of login attempts.
Repeated login attempts at unusual times of day for the administrator.
Login attempts from unusual IP addresses or locations.
Creation of new user accounts (ensure that the new account is legitimate).
Addition of new users to groups (ensure that the addition is legitimate).
Unexpected password changes.
Policy and permission changes (Security policy, users, Security profiles, Admin Role Profiles,
etc.).
Unscheduled commits.
STEP 4 | On the Dashboard, use the administrator login activity indicators to detect account misuse.
These activity indicators enable you to quickly view the last login details of administrators and
locate hosts that attempt to log into the firewall or Panorama management server.
Administrative Access Best Practices 10.1 25 ©2023 Palo Alto Networks, Inc.
Administrative Access Best Practices
Administrative Access Best Practices 10.1 26 ©2023 Palo Alto Networks, Inc.