Restricting Management Connections Using Permitted IPs

Use permitted IPs to restrict management connections (a connection in which a device administrator attempts to log in) to specific IP addresses. By default, any host on the trust interface of the managed device can connect to the security device and attempt to log in. You can configure the device to permit management connections from one or more user-defined IP addresses only.

After you create permitted IPs (and update the device with the modeled configuration), the device immediately begins rejecting management connections from nonpermitted IP addresses. If a device administrator is managing the device using a remote network connection and the workstation is not included as a permitted IP, the security device immediately terminates the device administrator’s session.

To create a permitted IP, click the Add icon in the Permitted IP area, and then configure an IP address and netmask.

Note: Configuring a permitted IP for a device administrator does not affect the NSM–managed device connection.

Corporation A has a small network in which a single device administrator at is allowed to manage the security device. For this device, you create a permitted IP with an IP/netmask of

Corporation B has a large network with multiple devices. Several device administrators on the subnet require access to all devices. For each device, you create a permitted IP with an IP/netmask of

On devices running ScreenOS 6.3, permitted IPs used for restricting management connections supports IPv6.

Related Documentation