Restricting Management Connections Using Permitted IPs

Use permitted IPs to restrict management connections (a connection in which a device administrator attempts to log in) to specific IP addresses. By default, any host on the trust interface of the managed device can connect to the security device and attempt to log in. You can configure the device to permit management connections from one or more user-defined IP addresses only.

After you create permitted IPs (and update the device with the modeled configuration), the device immediately begins rejecting management connections from nonpermitted IP addresses. If a device administrator is managing the device using a remote network connection and the workstation is not included as a permitted IP, the security device immediately terminates the device administrator’s session.

To create a permitted IP, click the Add icon in the Permitted IP area, and then configure an IP address and netmask.

Note: Configuring a permitted IP for a device administrator does not affect the NSM–managed device connection.

Corporation A has a small network in which a single device administrator at 172.16.40.42 is allowed to manage the security device. For this device, you create a permitted IP with an IP/netmask of 172.16.41.42/32.

Corporation B has a large network with multiple devices. Several device administrators on the 172.16.40.0 subnet require access to all devices. For each device, you create a permitted IP with an IP/netmask of 172.16.40.0/24.

On devices running ScreenOS 6.3, permitted IPs used for restricting management connections supports IPv6.

Related Documentation

• Local Access Configuration Using CLI Management Overview
• File Formatting in NSM Overview
• Supporting Admin Accounts for Dialup Connections