How to Change the Default Management Port using non-default ports
111324
Created On 09/25/18 17:27 PM - Last Modified 04/14/23 23:07 PM
Symptom
Objective:
It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.
Environment
- PAN-OS 9.1 and above
- Management Access
Resolution
Do not enable management access from the internet or from other untrusted zones inside your enterprise security boundary. See link below to ensure that you are properly securing your firewall.
- Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. NETWORK> Interfaces
- Note: The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface.
- The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface.
- Configure custom Services Object for the non-default ports that will allow access to the firewall. OBJECTS> Services
In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access.
- Configure individual destination NAT policies to translate the custom ports to the default access ports. POLICIES> NAT
- Configure a Security Policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included. POLICIES> Security
- Commit the changes.
- After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.
Additional Information
Management Interfaces