Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

ACL Rules

Overview

Subnet-based access control for GUI access (whitelisting) is part of platform security enhancements. You can configure Access Control List (ACL) rules for IPv4 networks. (IPv6 is not supported on the web framework.) When you create and enable rules, the rules are automatically sorted from more specific to less specific, and IP addresses are checked against them in that order. If the rule allows access to a subnet, any IP address within that subnet is allowed access. If the rule denies access to a subnet, any IP address within that subnet is denied access.

Enable / Disable ACL Rules

Access control list rules are disabled by default.

If you enable ACL rules, make sure you always add a rule to allow access to a subnet that your IP address is a part of, so you don't lock yourself out.

If you enable ACL rules, and the default rule (0.0.0.0/0) is set to deny, the GUI and system agents can't make necessary REST API calls to the controller unless you add a rule to allow access from loopback (127.0.0.0/8) and docker (172.17.0.0/16) networks.

To enable/disable ACL rules in the GUI:

  1. From the left navigation menu, navigate to Platform > Security > ACL to go to the table view.
  2. Click the toggle to enable or disable the rules, as applicable.

Add ACL Rule

To add an ACL rule in the GUI:
  1. From the left navigation menu, navigate to Platform > Security > ACL and click Add ACL rule.
    The Add ACL Entry dialog opens.
  2. Enter an IP subnet and select whether to allow or deny access to IP addresses within that subnet. You also have the option of adding a comment.
  3. Click Create.
The rule is created and you're returned to the table view.

Update ACL Rule

To update an ACL rule in the GUI:
  1. From the left navigation menu, navigate to Platform > Security > ACL and click the Edit button in the Actions panel for the rule to edit.
    The Edit ACL Entry dialog opens.
  2. Change the policy, as applicable. You also have the option of adding/editing/deleting a comment.
  3. Click Update.
The rule is changed and you're returned to the table view.

Delete ACL Rule

So that an IP address eventually matches to a subnet, 0.0.0.0/0 can't be deleted..

  1. From the left navigation menu, navigate to Platform > Security > ACL and click the Delete button in the Actions panel for the rule to delete.
    The Delete ACL Entry dialog opens.
  2. Click Delete
The rule is deleted and you're returned to the table view.