Knowledge Search


×
 

[ScreenOS] How to restrict management access to specific IP addresses (manager-IP or Permitted IP addresses)

  [KB3905] Show Article Properties


Summary:
This article describes the issue of being unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall, as the IP address of the client managing the firewall is not permitted.
Symptoms:
Unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall.  It may be due to the IP address of client to manage the firewall not being permitted.  How to check and change them?
Solution:
To check if a client, which cannot manage the Juniper firewall, is included in the manager-IP or Permitted IP address list, use the get admin manager-ip CLI command or from the WebUI, go to Configuration > Admin > Permitted IPs.

Example:
Sample output of the get admin manager-ip command:
SSG520(M)-> get admin manager-ip
Manager IP enforced: False
Manager IPs: 3

Address              Mask                 Vsys               
-------------------- -------------------- --------------------
172.19.50.155        255.255.255.255      Root               
172.24.28.207        255.255.255.255      Root               
10.10.10.100         255.255.255.255      Root               
SSG520(M)->
This list determines which hosts are allowed to manage the Juniper firewall. If the host that you are trying to use to access the Juniper firewall is not part of this list, it will not be successful in managing the Juniper firewall. If there are no IP addresses in the table, there is no restriction on who can manage the device.
 

How to configure specific IP addresses or networks that are allowed to manage the firewall:

Warning:

  • First, make sure that the IP address or network of the client, from which you are connected, is added to the list. Otherwise, the management session to the firewall will be dropped.
  • For the IP address or IP subnet, which is configured as the manager-IP, ensure that a correct reverse route exists via the correct interface; otherwise you will not be able to manage the firewall.
Example 1:
Assume that only one user is allowed to manage the Juniper firewall and that user's IP address will always be 10.1.1.10. To restrict access to the Juniper firewall for this one user:

CLI:
set admin manager-ip 10.1.1.10 255.255.255.255
WebUI:

Go to Configuration > Admin > Permitted IPs and under the Add a New Permitted IP section, provide the following information:
  • IP address: 10.1.1.10
  • NetMask: 255.255.255.255

This configuration allows only the user at 10.1.1.10 IP address to manage the Juniper firewall.

Example 2: 
To configure access for a entire network, follow the CLI or WebUI example above except just specify the appropriate subnet mask. For example, 10.1.1.0/24 will allow all the users on that network to  manage the firewall.
Modification History:
2019-05-22: Content reviewed for accuracy
Related Links: