PIPI的部落格

This article describes the issue of being unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall, as the IP address of the client managing the firewall is not permitted.

Unable to manage (Telnet, SSH, WebUI, SSL, HTTP, or HTTPS) the firewall.  It may be due to the IP address of client to manage the firewall not being permitted.  How to check and change them?

To check if a client, which cannot manage the Juniper firewall, is included in the manager-IP or Permitted IP address list, use the get admin manager-ip CLI command or from the WebUI, go to Configuration > Admin > Permitted IPs.

For example:

The sample output of the get admin manager-ip command is as follows:

SSG520(M)-> get admin manager-ip 
Manager IP enforced: False
Manager IPs: 3

Address              Mask                 Vsys                
-------------------- -------------------- --------------------
172.19.50.155        255.255.255.255      Root                
172.24.28.207        255.255.255.255      Root                
10.10.10.100         255.255.255.255      Root                
SSG520(M)-> 

This list determines which hosts are allowed to manage the Juniper firewall. If the host that you are trying to use to access the Juniper firewall is not part of this list, it will not be successful in managing the Juniper firewall. If there are no IP addresses in the table, there is no restriction on who can manage the device.


To configure specific IP addresses or networks that are allowed to manage the firewall, perform the procedures that are provides in the following example:

Warning:

• First, make sure that the IP address or network of the client, from which you are connected, is added to the list. Otherwise, the management session to the firewall will be dropped.

• For the IP address or IP subnet, which is configured as the manager-IP, ensure that a correct reverse route exists via the correct interface; otherwise you will not be able to manage the firewall.

Example:

Assume that only one user is allowed to manage the Juniper firewall and that user's IP address will always be10.1.1.10. To restrict access to the Juniper firewall for this one user:

CLI:


set admin manager-ip 10.1.1.10 255.255.255.255

WebUI:

Go to Configuration > Admin > Permitted IPs and under the Add a New Permitted IP section, provide the following information:

• IP address: 10.1.1.10

• NetMask: 255.255.255.255

This configuration allows only the user at 10.1.1.10 IP address to manage the Juniper firewall. To configure access for a entire network, just specify the appropriate subnet mask. For example, 10.1.1.0/24 will allow all the users on that network to  manage the firewall.