Supported Platforms
Example: Controlling Management Access on SRX Series Devices
This example shows how to control management access on SRX Series devices.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
By default, any host on the trusted interface can manage a security device. To limit the IP addresses that can manage a device, you can configure a firewall filter to deny all, with the exception of the IP address or addresses to which you want to grant management access. This example shows how to limit management access to a specific IP addresses to allow it to manage SRX Series devices.
Configuration
Configuring an IP Address List to Restrict Management Access to a Device
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
- Define a set of host addresses, called "manager-ip",that
are allowed to manage the device.[edit policy-options]user@host# set prefix-list manager-ip 192.168.4.254/32user@host# set prefix-list manager-ip 10.0.0.0/8
Note: The configured list is referenced in the actual filter, where you can change your defined set of addresses.
- Configure a firewall filter to deny traffic from all IP
addresses except the IP addresses defined in the "manager-ip" list.
Management traffic that uses any of the listed destination ports is
rejected when the traffic comes from an address in the list.[edit firewall filter]user@host# set manager-ip term block_non_manager from source-address 0.0.0.0/0user@host# set manager-ip term block_non_manager from source-prefix-list manager-ip exceptuser@host# set manager-ip term block_non_manager from protocol tcpuser@host# set manager-ip term block_non_manager from destination-port sshuser@host# set manager-ip term block_non_manager from destination-port httpsuser@host# set manager-ip term block_non_manager from destination-port telnetuser@host# set manager-ip term block_non_manager from destination-port httpuser@host# set manager-ip term block_non_manager then discarduser@host# set manager-ip term accept_everything_else then accept
- Apply stateless firewall filters to the loopback interface
to filter the packets originating from the hosts to which you are
granting management access.[edit interfaces lo0 unit 0 ]user@host# set family inet filter input manager-ip
Note: This configuration applies to traffic that terminates at the device. For traffic that terminates at the device interface (such as IPsec, OSPF, RIP, or BGP), you must also include the management IP addresses in the manager-ip prefix-list.
Results
From configuration mode, confirm your configuration by entering show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Interfaces
Purpose
Verify if the interfaces are configured correctly.
Action
From operational mode, enter the following commands:
- show policy-options
- show firewall
- show interfaces
