It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.
Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. Note: - The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface. - The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface
Configure custom services for the non-default ports that will allow access to the firewall. In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access.
Configure individual destination NAT policies to translate the custom ports to the default access ports.
Configure a security policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included.
Commit the changes.
After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.