How to Change the Default Management Port using non-default ports

How to Change the Default Management Port using non-default ports

Created On 09/25/18 17:27 PM - Last Modified 04/14/23 23:07 PM



It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.


  • PAN-OS 9.1 and above
  • Management Access


Do not enable management access from the internet or from other untrusted zones inside your enterprise security boundary. See link below to ensure that you are properly securing your firewall.  
  1. Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. NETWORKInterfaces
    1. Note:  The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface.
    2. The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface.
      loopback configuration
  2. Configure custom Services Object for the non-default ports that will allow access to the firewall. OBJECTS> Services
 In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access.
Service Object configuration
  1. Configure individual destination NAT policies to translate the custom ports to the default access ports. POLICIES> NAT
    NAT Configuration
  2. Configure a Security Policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included. POLICIES> Security
    Security Policy Configuration
  3. Commit the changes.
  4. After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.
SSH to device

Additional Information

Management Interfaces

  • Print
  • Copy Link

Choose Language