Friday, April 10, 2015

Palo Alto: Changing The Management Access Port For HTTPS

It used to be that HTTPS access to the firewall was just that for management.  443 was just secure management, and that was it.  Now, its for VPN access.  Now you have to change the management port number from 443 to something else if you enable VPN nowadays.  I found a good document on the Palo site for this, so I'm going to just copy and paste it here.  I couldn't have said this any better than the guy who created it.
With that said, I think that this process should be easier.  It seems to me, just like in Check Point, that you should just be able to go to one place, type in the new port number, and go with it.  Maybe in a future release.
1. Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access.
Note:  The management profile permitting access only needs to be on the loopback interface, and not
the Untrust interface.

2. Configure custom services for the non­default ports that will allow access to the firewall. In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access. (choose your own ports)

3. Configure individual destination NAT policies to translate the custom ports to the default access ports.

4. Configure a security policy allowing inbound access to the Untrust interface.  Optionally, the specific ports to be allowed in this security policy can be included.

5. Commit the changes.
6. Try to access the unit on the new port.

1 comment:

  1. Hi, thanks for this. Can you elaborate on some of the steps? Creating the loopback interface, looks like there is a new zone, TRUST-L3. Creating the NAT, looks like there is another new zone, Untrust-L3, and the object "Untrust_interface" .... is the value of that x.x.x.x or with cidr, x.x.x.x/26 for example?



Your comment will be reviewed for approval. Thank you for submitting your comments.