Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] Configuring a Manage IP Address on Juniper firewall



Article ID: KB4059 KB Last Updated: 12 Apr 2021Version: 16.0

This article explains when and how to configure a "Manage IP" address on Juniper firewall.

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
A "manage-ip" address is used to manage a Juniper/NetScreen firewall device through either a Telnet, SSH, SSL(HTTPS) , WebUI (HTTP), or NSM session.  It is also used when communicating via SNMP or to an external authentication server. 

By default, the manage-ip address is set to the same address as the IP address assigned to the interface.  Use the command 'get interface <int>' to see the manage-ip address assigned to an interface.

The manage-ip address can be set or changed to allow the device to be managed on a different address than the IP address assigned to the interface, which is used for data traffic.

In the case of an NSRP cluster, management access via the interface IP address (the Virtual IP Address) will always reach the current primary device only.  Manage-ip addresses allow for direct access to either cluster member regardless of NSRP state; in other words, you can manage either the Primary or the Backup device independently.

The restriction for configuring manage-ip addresses is that it must be in the same subnet as the associated interface address, and it must also be unique. Manage-ip addresses are not synchronized as part of NSRP, so in a cluster configuration the Primary and Backup must each have a unique manage-ip address.

To configure a manage IP address, perform the following steps:


set interface <interface> manage-ip <ip address>

Note: the associated interface address should be configured before the manage-ip address.


From the ScreenOS options menu, click Network -> Interfaces, click Edit on the selected interface from the table.
Enter the IP address in the "Manage IP" box and click "OK" to accept and save.

Note: A common misconception is to tick the "Manageable" checkbox to enable/disable the manage-ip address. The "manageable" option has no bearing on the status of the manage-ip address, but is used to determine whether the associated interface address is available for management access - in addition to the manage-ip address.  In other words, if the Manageable box is not checked, it can only be managed via the manage-ip address. It is actually a good idea to leave 'manageable' unchecked after configuring a manage-ip. This will prevent anyone from reaching the management login page of the Firewall through the interface IP. Manage-IP can be shared only with the intended Firewall administrators.


To remove the manage-ip configuration, perform the following:


unset interface <interface> manage-ip


Network -> Interfaces, click Edit on the selected interface from the table.
Set the "Manage IP" address to


Sample output from an SSG140 running ScreenOS version 5.4.0:

ssg140_a-> set interface ethernet0/0 ip
ssg140_a-> set interface ethernet0/0 manage-ip

ssg140_a-> get interface e0/0
Interface ethernet0/0:
  description ethernet0/0
  ip   mac 0017.cb40.4480 
  manage ip, mac 0017.cb40.4480 
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled

Note: When NSRP is not configured ('stand-alone'), the same physical MAC address for both the interface and manage addresses is used.

ssg140_a-> set nsrp cluster id 1
ssg140_a(B)-> Unit becomes master of NSRP vsd-group 0
ssg140_a(M)-> get int e0/0
Interface ethernet0/0(VSI):
  ip mac 0010.dbff.2000 
  manage ip, mac 0017.cb40.4480 

Note: When NSRP is configured ('clustered'), the interface address uses the virtual MAC, but the manage-ip continues to use the physical MAC.


Modification History:

2021-04-09: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2020-03-17: Article reviewed for accuracy. Minor changes made. Article is correct and complete.
2017-12-07: Article reviewed for accuracy. Minor changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search