Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to restrict management access to specific IP addresses (manager-IP or Permitted IP addresses)



Article ID: KB3905 KB Last Updated: 30 May 2019Version: 7.0
This article describes the issue of being unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall, as the IP address of the client managing the firewall is not permitted.
Unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall.  It may be due to the IP address of client to manage the firewall not being permitted.  How to check and change them?
To check if a client, which cannot manage the Juniper firewall, is included in the manager-IP or Permitted IP address list, use the get admin manager-ip CLI command or from the WebUI, go to Configuration > Admin > Permitted IPs.

Sample output of the get admin manager-ip command:
SSG520(M)-> get admin manager-ip
Manager IP enforced: False
Manager IPs: 3

Address              Mask                 Vsys               
-------------------- -------------------- --------------------      Root            Root            Root               
This list determines which hosts are allowed to manage the Juniper firewall. If the host that you are trying to use to access the Juniper firewall is not part of this list, it will not be successful in managing the Juniper firewall. If there are no IP addresses in the table, there is no restriction on who can manage the device.

How to configure specific IP addresses or networks that are allowed to manage the firewall:


  • First, make sure that the IP address or network of the client, from which you are connected, is added to the list. Otherwise, the management session to the firewall will be dropped.
  • For the IP address or IP subnet, which is configured as the manager-IP, ensure that a correct reverse route exists via the correct interface; otherwise you will not be able to manage the firewall.
Example 1:
Assume that only one user is allowed to manage the Juniper firewall and that user's IP address will always be To restrict access to the Juniper firewall for this one user:

set admin manager-ip

Go to Configuration > Admin > Permitted IPs and under the Add a New Permitted IP section, provide the following information:
  • IP address:
  • NetMask:

This configuration allows only the user at IP address to manage the Juniper firewall.

Example 2: 
To configure access for a entire network, follow the CLI or WebUI example above except just specify the appropriate subnet mask. For example, will allow all the users on that network to  manage the firewall.
Modification History:
2019-05-22: Content reviewed for accuracy

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search