Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to allow only specific IP addresses from accessing the NSM Xpress/3000 WebUI

0

0

Article ID: KB21917 KB Last Updated: 18 Oct 2011Version: 1.0
Summary:
This article provides information on how to restrict access of the Xpress WebUI to only specific computer IP addresses.


Symptoms:
To restrict access of the Xpress WebUI to only specific computer IP addresses.
Cause:

Solution:

In NSM Xpress , under WebUI Configuration, WebUI access can be limited or restricted by choosing the following options : 

  1. Allow from all addresses - this option allows all IP addresses to access Xpress WebUI.

  2. Allow only these ip addresses - this option allows only specific IP addresses to access Xpress WebUI.

Note: For Option 2, multiple IP addresses can be entered if separated by spaces .

The image below, displays the two options:




After selecting an option, click Save to save the changes.

Note :
  1. Access to the SSH connection of Xpress CLI is not restricted by the above method.

  2. This feature  enables iptables on NSM express:                 

    -bash-3.00# service iptables status 

                         
    Table: filter
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
    DROP all -- 0.0.0.0/0 255.255.255.255
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7801
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7808
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:7802
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7800
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7803
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7804
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15400
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11122
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    LOG_DROP all -- 0.0.0.0/0 0.0.0.0/0
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    LOG_DROP all -- 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain LOG_DROP (2 references)
    target prot opt source destination
    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `RULE 1 -- DENY '
    DROP all -- 0.0.0.0/0 0.0.0.0/0


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search