Knowledge Search


[ScreenOS] Configuring a Manage IP Address on Juniper firewall

  [KB4059] Show Article Properties

When and how to configure a "Manage IP" address on Juniper firewall.
A "manage-ip" address is used to manage a Juniper/NetScreen firewall device through either a Telnet, SSH, SSL or WebUI (HTTP), or NSM session.  It is also used when communicating via SNMP or to an external authentication server. 

By default, the manage-ip address is set to the same address as the IP address assigned to the interface.  Use the command 'get interface <int>' to see the manage-ip address assigned to an interface.

The manage-ip address can be set or changed to allowed the device to be managed on a different address than the IP address assigned to the interface, which is used for data traffic.

In the case of an NSRP cluster, management access via the interface IP address (the Virtual IP Address) will always reach the current Master device only.  Manage-ip addresses allow for direct access to either cluster member regardless of NSRP state; in other words, you can manage either the Master or the Backup device independently.

The restriction for configuring manage-ip addresses is that it must be in the same subnet as the associated interface address, and it must also be unique. Manage-ip addresses are not synchronized as part of NSRP, so in a cluster configuration the Master and Backup must each have a unique manage-ip address.

To configure a manage IP address, perform the following steps:


set interface <interface> manage-ip <ip address>

Note: the associated interface address should be configured before the manage-ip address.


From the ScreenOS options menu, click Network -> Interfaces, click Edit on the selected interface from the table.
Enter the IP address in the "Manage IP" box and click "OK" to accept and save.

Note: A common misconception is to tick the "Manageable" checkbox to enable/disable the manage-ip address. The "manageable" option has no bearing on the status of the manage-ip address, but is used to determine whether the associated interface address is available for management access - in addition to the manage-ip address.  In other words, if the Manageable box is not checked, it can only be managed via the manage-ip address. It is actually a good idea to leave 'manageable' unchecked after configuring a manage-ip. This will prevent anyone from reaching the management login page of the Firewall through the interface IP. Manage-IP can be shared only with the intended Firewall administrators.


To remove the manage-ip configuration, perform the following:


unset interface <interface> manage-ip


Network -> Interfaces, click Edit on the selected interface from the table.
Set the "Manage IP" address to


Sample output from an SSG140 running ScreenOS version 5.4.0:

ssg140_a-> set interface ethernet0/0 ip
ssg140_a-> set interface ethernet0/0 manage-ip

ssg140_a-> get interface e0/0
Interface ethernet0/0:
  description ethernet0/0
  ip   mac 0017.cb40.4480 
  manage ip, mac 0017.cb40.4480 
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled

Note: When NSRP is not configured ('stand-alone'), the same physical MAC address for both the interface and manage addresses is used.

ssg140_a-> set nsrp cluster id 1
ssg140_a(B)-> Unit becomes master of NSRP vsd-group 0
ssg140_a(M)-> get int e0/0
Interface ethernet0/0(VSI):
  ip mac 0010.dbff.2000 
  manage ip, mac 0017.cb40.4480 

Note: When NSRP is configured ('clustered'), the interface address uses the virtual MAC, but the manage-ip continues to use the physical MAC.


Modification History:
2017-12-07: Article reviewed for accuracy. Minor changes made. Article is correct and complete.
Related Links: