Secospace USG 6620 allow access WEB GUI only from specific addresses

Latest reply: Dec 24, 2018 09:33:25 381 2 0 0
Issue Description

Customer wants to give access to the WEB GUI of the USG6620 only from specific address. 

He created a policy that I have verified and it is correct but anybody ho know the user and password can connect to the  WEB GUI of the USG6620.

 
It does not match and it does not block connection from any addresses.

 
The interface configuration is:

 
interface Vlanif50

 
ip address 192.168.50.1 255.255.255.0

 
service-manage http permit

 
service-manage https permit

 
service-manage ping permit

 
service-manage ssh permit

 
service-manage snmp permit

 
service-manage telnet permit

 
dhcp select interface

 
dhcp server ip-range 192.168.50.1 192.168.50.254

 
dhcp server dns-list X.X.X.4 X.X.X.5 X.X.8.8 X.X.2.2

#

 

He used this example to bind the interface with the policy he created, but will not solve the problem because it still allow anyone to open WEB GUI:

 

[FW-aaa] manager-user webadmin

 

[FW-aaa-manager-user-webadmin] password

Enter Password: 

 
Confirm Password:
[FW-aaa-manager-user-webadmin] service-type web

 
[FW-aaa-manager-user-webadmin] access-limit 10

[FW-aaa-manager-user-webadmin] acl-number 2001

 
[FW-aaa-manager-user-webadmin] quit

[FW-aaa] bind manager-user webadmin role service-admin

 
[FW-aaa] quit

 
transparent.gif Solution

Since the policy is correct and it is applied correct it means that there should be a rule that has greater priority than the policy that was applied on the interface.

If we look closer to the interface configuration we se service-manage is permited :

 
service-manage http permit

service-manage https permit

 

service-manage ping permit

service-manage ssh permit

 
service-manage snmp permit

 
service-manage telnet permit

 
Because service-manage http / https is permitted on the interface, this configuration will have grater priority than the policy and the policy will not have effect.

 
Solution:

 

You have to disable service-manage on the interface for all the services because you do not have the option to disable only http and https, you can deny http and https and that means no http/https access at all. 

 
  • x
  • convention:

w1 Created Nov 1, 2018 10:47:12 Helpful(0) Helpful(0)

"service-manage " is used to manage users who want to access the devices, there are some default configuration, like protocols, but more details function, need to configure more other commands, like this case, if you want to only some of users (IPs) can access USG firewall, you can configure the IP list.
  • x
  • convention:

xiaomumu Created Dec 24, 2018 09:33:25 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top