Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring a Manage IP Address on Juniper firewall

0

0

Article ID: KB4059 KB Last Updated: 17 Mar 2020Version: 15.0
Summary:

This article explains when and how to configure a "Manage IP" address on Juniper firewall.

Solution:
A "manage-ip" address is used to manage a Juniper/NetScreen firewall device through either a Telnet, SSH, SSL(HTTPS) , WebUI (HTTP), or NSM session.  It is also used when communicating via SNMP or to an external authentication server. 

By default, the manage-ip address is set to the same address as the IP address assigned to the interface.  Use the command 'get interface <int>' to see the manage-ip address assigned to an interface.

The manage-ip address can be set or changed to allow the device to be managed on a different address than the IP address assigned to the interface, which is used for data traffic.

In the case of an NSRP cluster, management access via the interface IP address (the Virtual IP Address) will always reach the current Master device only.  Manage-ip addresses allow for direct access to either cluster member regardless of NSRP state; in other words, you can manage either the Master or the Backup device independently.

The restriction for configuring manage-ip addresses is that it must be in the same subnet as the associated interface address, and it must also be unique. Manage-ip addresses are not synchronized as part of NSRP, so in a cluster configuration the Master and Backup must each have a unique manage-ip address.

To configure a manage IP address, perform the following steps:

CLI:

set interface <interface> manage-ip <ip address>

Note: the associated interface address should be configured before the manage-ip address.

WebUI:

From the ScreenOS options menu, click Network -> Interfaces, click Edit on the selected interface from the table.
Enter the IP address in the "Manage IP" box and click "OK" to accept and save.

Note: A common misconception is to tick the "Manageable" checkbox to enable/disable the manage-ip address. The "manageable" option has no bearing on the status of the manage-ip address, but is used to determine whether the associated interface address is available for management access - in addition to the manage-ip address.  In other words, if the Manageable box is not checked, it can only be managed via the manage-ip address. It is actually a good idea to leave 'manageable' unchecked after configuring a manage-ip. This will prevent anyone from reaching the management login page of the Firewall through the interface IP. Manage-IP can be shared only with the intended Firewall administrators.

 

To remove the manage-ip configuration, perform the following:

CLI:

unset interface <interface> manage-ip

WebUI:

Network -> Interfaces, click Edit on the selected interface from the table.
Set the "Manage IP" address to 0.0.0.0
Apply

 

Sample output from an SSG140 running ScreenOS version 5.4.0:

ssg140_a-> set interface ethernet0/0 ip 1.1.1.1/24
ssg140_a-> set interface ethernet0/0 manage-ip 1.1.1.2

ssg140_a-> get interface e0/0
Interface ethernet0/0:
  description ethernet0/0
  <snip>
  ip 1.1.1.1/24   mac 0017.cb40.4480 
  manage ip 1.1.1.2, mac 0017.cb40.4480 
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  <snip>

Note: When NSRP is not configured ('stand-alone'), the same physical MAC address for both the interface and manage addresses is used.


ssg140_a-> set nsrp cluster id 1
ssg140_a(B)-> Unit becomes master of NSRP vsd-group 0
ssg140_a(M)->
ssg140_a(M)-> get int e0/0
Interface ethernet0/0(VSI):
  <snip> 
  ip 1.1.1.1/24 mac 0010.dbff.2000 
  manage ip 1.1.1.2, mac 0017.cb40.4480 
  <snip>

Note: When NSRP is configured ('clustered'), the interface address uses the virtual MAC, but the manage-ip continues to use the physical MAC.

 

Modification History:

2020-03-17: Article reviewed for accuracy. Minor changes made. Article is correct and complete.
2017-12-07: Article reviewed for accuracy. Minor changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search