Example: Controlling Management Access on SRX Series Devices
This example shows how to limit the management access to the specific IP addresses on an SRX Series devices to manage the device.
No special configuration beyond device initialization is required before configuring this feature.
To limit the IP addresses that can manage a device, you can configure a firewall filter. This firewall filters must include a term to deny all traffic except the IP address that you allow to manage the device. You must apply the firewall filter to the loopback interface (lo0) as this ensures that only management traffic (traffic to the device) is filtered.
In this example you:
Configure a prefix-list called manager-ip. This list defines a set of IP addresses that are allowed to manage the SRX Series device.
Configure a firewall filter FILTER1 that rejects all requesters except IP addresses available in the manager-ip prefix list. In this way, you are ensuring that IP address list specified in the prefix list can manage the device.
Apply FILTER1 filter to the loopback interface. Any time a packet hits any of the interfaces on the device, the loopback interface applies the filter FILTER1 .
Configuring an IP Address List to Restrict Management Access to a Device
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
- Define a set of allowed host addresses in the prefix list.[edit policy-options]user@host# set prefix-list manager-ip 192.168.4.254/32user@host# set prefix-list manager-ip 10.0.0.0/8
The configured list is referenced in the actual filter, where you can change your defined set of addresses.
- Configure a firewall filter to deny traffic from all IP
addresses except the IP addresses defined in the prefix list. [edit firewall filter]user@host# set manager-ip term block_non_manager from source-address 0.0.0.0/0user@host# set manager-ip term block_non_manager from source-prefix-list manager-ip exceptuser@host# set manager-ip term block_non_manager from protocol tcpuser@host# set manager-ip term block_non_manager from destination-port sshuser@host# set manager-ip term block_non_manager from destination-port httpsuser@host# set manager-ip term block_non_manager from destination-port telnetuser@host# set manager-ip term block_non_manager from destination-port httpuser@host# set manager-ip term block_non_manager then discard
Management traffic that uses any of the listed destination ports is rejected when the traffic comes from an address in the list.
- Configure a default term that accepts all other traffic.[edit firewall filter]user@host# set manager-ip term accept_everything_else then accept
- Apply stateless firewall filters to the loopback interface
to filter the packets originating from the hosts to which you are
granting management access.[edit interfaces lo0 unit 0 ]user@host# set family inet filter input manager-ip
This configuration applies to traffic terminating at the device itself. If you have IPsec traffic, or OSPF, RIP, BGP, or any other traffic that terminates at the interface of the device, then you must add the IP address of the interface to the prefix list.
From configuration mode, confirm your configuration by entering show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Confirm that the configuration is working properly.
Verify if the interfaces are configured correctly.
From operational mode, enter the following commands: