No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Allow access via WEB Gui only from specific addresses

Publication Date:  2017-05-23 Views:  377 Downloads:  0
Issue Description

Customer wants to give access to the WEB GUI of the USG6620 only from specific address. 

He created a policy that I have verified and it is correct but anybody ho know the user and password can connect to the  WEB GUI of the USG6620.
It does not match and it does not block connection from any addresses.
The interface configuration is:
interface Vlanif50
ip address 192.168.50.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
dhcp select interface
dhcp server ip-range 192.168.50.1 192.168.50.254
dhcp server dns-list X.X.X.4 X.X.X.5 X.X.8.8 X.X.2.2

#

He used this example to bind the interface with the policy he created, but will not solve the problem because it still allow anyone to open WEB GUI:

[FW-aaa] manager-user webadmin

[FW-aaa-manager-user-webadmin] password

Enter Password: 
Confirm Password:
[FW-aaa-manager-user-webadmin] service-type web
[FW-aaa-manager-user-webadmin] access-limit 10

[FW-aaa-manager-user-webadmin] acl-number 2001
[FW-aaa-manager-user-webadmin] quit

[FW-aaa] bind manager-user webadmin role service-admin
[FW-aaa] quit
Solution

Since the policy is correct and it is applied correct it means that there should be a rule that has greater priority than the policy that was applied on the interface.

If we look closer to the interface configuration we se service-manage is permited :
service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
Because service-manage http / https is permitted on the interface, this configuration will have grater priority than the policy and the policy will not have effect.
Solution:

You have to disable service-manage on the interface for all the services because you do not have the option to disable only http and https, you can deny http and https and that means no http/https access at all. 

END