Restricting Management Connections Using Permitted Ips - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Restricting Management Connections Using Permitted IPs

Related
Documentation
154
Use permitted IPs to restrict management connections (a connection in which a device
administrator attempts to log in) to specific IP addresses. By default, any host on the
trust interface of the managed device can connect to the security device and attempt
to log in. You can configure the device to permit management connections from one or
more user-defined IP addresses only.
After you create permitted IPs (and update the device with the modeled configuration),
the device immediately begins rejecting management connections from nonpermitted
IP addresses. If a device administrator is managing the device using a remote network
connection and the workstation is not included as a permitted IP, the security device
immediately terminates the device administrator's session.
To create a permitted IP, click the Add icon in the Permitted IP area, and then configure
an IP address and netmask.
NOTE: Configuring a permitted IP for a device administrator does not affect
the NSM–managed device connection.
Corporation A has a small network in which a single device administrator at 172.16.40.42
is allowed to manage the security device. For this device, you create a permitted IP with
an IP/netmask of 172.16.41.42/32.
Corporation B has a large network with multiple devices. Several device administrators
on the 172.16.40.0 subnet require access to all devices. For each device, you create a
permitted IP with an IP/netmask of 172.16.40.0/24.
On devices running ScreenOS 6.3, permitted IPs used for restricting management
connections supports IPv6.
Local Access Configuration Using CLI Management Overview on page 155
File Formatting in NSM Overview on page 155
Supporting Admin Accounts for Dialup Connections on page 153
Copyright © 2010, Juniper Networks, Inc.