It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.
Environment
PAN-OS 9.1 and above
Management Access
Resolution
Do not enable management access from the internet or from other untrusted zones inside your enterprise security boundary. See link below to ensure that you are properly securing your firewall.
Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. NETWORK> Interfaces
Note: The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface.
The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface.
Configure custom Services Object for the non-default ports that will allow access to the firewall. OBJECTS> Services
In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access.
Configure individual destination NAT policies to translate the custom ports to the default access ports. POLICIES> NAT
Configure a Security Policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included. POLICIES> Security
Commit the changes.
After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.