How to Allow Specific IP Addresses to Access the Management Interface of a Palo Alto Networks Device

This article describes how to restrict access to the management interface of a Palo Alto Networks device to specific IP addresses, either directly via the management interface or through a dataplane interface.

Panorama or Next-Generation Firewalls

Review Before Starting

• It is recommended to have console access to the firewall before starting these steps in case this configuration needs to be rolled back.
• Before you commit the Permitted IP list changes, please verify you are accessing the device from an IP address on the Permitted IP list.
• If your IP is not on the Permitted IP list, you will be unable to access the device via GUI or SSH, and you will need to revert the configuration via console access to restore GUI or SSH access for your IP.

Management Interface Configuration

1) Log in to the web GUI.

2) Navigate to 'Device > Setup > Interfaces' and click on 'Management' to pull up the 'Management Interface Settings'.

3) Under the 'Permitted IP Addresses' section, click the 'Add' button and add either host IP addresses or subnets. 

4) Click the 'OK' button when you are finished adding IP addresses to the list.

5) Commit the configuration change.

Dataplane Interface Configuration

1) Log in to the web GUI.

2) Navigate to 'Network > Network Profiles > Interface Mgmt'.

3) Either Add a new profile or Edit an existing profile by clicking on the profile name.

4) In the 'Interface Management Profile' pop-up menu, under the 'Permitted IP Addresses' section, click the 'Add' button and add either host IP addresses or subnets then click 'OK'.

5) If you added a new Interface Management Profile, you can apply it to a dataplane interface by navigating to 'Network > Interfaces', then selecting the appropriate interface sub-menu (Ethernet, VLAN, Loopback, etc). In the example pictures below, we applied the Interface Management Profile to ethernet1/1.

6) Commit the configuration change. 

References

• Restrict Access to the Management Interface per our Administrative Access Best Practices

If you need to remove the Permitted IP List via console

• Commands to load a previously saved named configuration file and commit:
  

  > configure
  # load config from <choose named configuration file>
  # commit

• Commands to load a previous configuration version and commit:
  

  > configure
  # load config version <choose version number>
  # commit

• Commands to remove the permitted IPs in the CLI and commit:
  

  > configure
  # delete deviceconfig system permitted-ip <entry> (Note: You can only remove one entry at a time)
  # commit
  
  
  NOTE : To debug connectivity issues with the management interface, please use the tcpdump option available in the CLI - Take a Packet Capture on the Management Interface