An Interface Management profile protects the
firewall from unauthorized access by defining the protocols, services,
and IP addresses that a firewall interface permits for management
traffic. For example, you might want to prevent users from accessing
the firewall web interface over the ethernet1/1 interface but allow
that interface to receive SNMP queries from your network monitoring
system. In this case, you would enable SNMP and disable HTTP/HTTPS
in an Interface Management profile and assign the profile to ethernet1/1.
You
can assign an Interface Management profile to Layer 3 Ethernet interfaces
(including subinterfaces) and to logical interfaces (aggregate group,
VLAN, loopback, and tunnel interfaces). If you do not assign an
Interface Management profile to an interface, it denies access for
all IP addresses, protocols, and services by default.
The
management (MGT) interface does not require an Interface Management
profile. You restrict protocols, services, and IP addresses for
the MGT interface when you
Perform
Initial Configuration of the firewall. In case the MGT interface
goes down, allowing management access over another interface enables
you to continue managing the firewall.
When enabling access to a firewall interface
using an Interface Management profile, do not enable management
access (HTTP, HTTPS, SSH, or Telnet) from the internet or from other
untrusted zones inside your enterprise security boundary, and never
enable HTTP or Telnet access because those protocols transmit in
cleartext. Follow the
Best
Practices for Securing Administrative Access to ensure that
you are properly securing management access to your firewall.