Interface Mgmt:

o Interface Management profile protects the firewall from unauthorized access.

o By defining the services and IP addresses that a firewall interface permits.
o Can assign Interface Management profile to Layer 3 Ethernet interfaces.
o Can assign to sub interfaces and to logical interfaces, VLAN, loopback, & tunnel.
o Do not attach it profile that allows Telnet, SSH, HTTP, or HTTPS Internet Interface.
o Do not attach Interface Management profile to GlobalProtect portal or gateway.
o Because these will expose the management interface to the outside Internet.
o To allow Ping & other management traffic, configure Interface Management Profile.

Network>Network Profiles > Interface Mgmt > Add

o Assign Management Profile to any Layer 3 interface where want to manage PA Firewall.
o Quite handy want to allow management functions on any layer 3 interface.
o Network>Interfaces>Ethernet> ethernet1/2>Advance>Management Profile.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

 Field Description
Name Enter profile name. This name appears in list of Interface
Management profiles when configuring interfaces.
Administrative Telnet—Use to access firewall CLI. Telnet uses plaintext, not
Management Services secure.
SSH—Use for secure access to the firewall CLI.
HTTP—Use to access the firewall web interface. HTTP uses
plaintext, which is not as secure as HTTPS.
HTTPS—Use for secure access to the firewall web interface.
Network Services Ping—Use to test connectivity with external services.
HTTP OCSP—Use to configure the firewall as an Online
Certificate Status Protocol (OCSP) responder.
SNMP—Use to process firewall statistics queries from SNMP
manager.
Response Pages—Use to enable response pages for:
Captive Portal—The ports used to serve Captive Portal response
pages are left open on Layer 3 interfaces:
User-ID Syslog Listener-SSL—Use to allow the PAN-OS integrated
User-ID agent to collect syslog messages over SSL.
User-ID Syslog Listener-UDP—Use to allow the PAN-OS
integrated User-ID agent to collect syslog messages over UDP.
Permitted IP Addresses Enter the list of IPV4 or IPV6 addresses from which the interface
allows access.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

o After attached Management Profile, to inside interface now can access by inside IP.

o Warning Message display when attaching to other interfaces.

Inside interface where management Profile has been attached.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717