Restricting the administrator to access the USG2000&5000&6000 through a fixed source address

11

Configure the USG2000&5000&6000 to restrict the administrator to access through a fixed source address as follows:
Set the VTY authentication mode to AAA on the USG to allow login of only a certain IP address:
system-view

[USG6600]

[USG6600] acl 3000
[USG6600-acl-adv-3000]rule permit ip source 192.168.1.2 0 //192.168.1.2 allowed only.

[USG6600-acl-adv-3000]quit

[USG6600] user-interface vty 0 4

[USG6600-ui-vty0-4] authentication-mode aaa

[USG6600-ui-vty0-4]acl 3000 inbound //The ACL here is deny by default.

[USG6600-ui-vty0-4] quit

After the preceding configurations, only addresses for which the action is permit in ACL 3000 or specific source addresses can telnet to the firewall.

Other related questions:
Default levels of the USG2000&5000&6000 administrators
The default level of the administrators of all USG series is empty. You need to configure the level and permission of each user.

Whether the USG2000&5000&6000 support specifying source addresses for Telnet
The USG2000&5000&6000 series does not support specifying source addresses during telnet to other device. The local address for telneting to other devices is the IP address of the outbound interface to the destination address.

Changing the administrator level under the VTY interface of the USG2000&5000&6000
Change the administrator level under the VTY interface of the USG2000&5000&6000 as follows: system-view Enter system view, return user view with Ctrl+Z. [USG5100]user-interface vty 0 4 [USG5100-ui-vty0-4]user privilege level ? INTEGER<0-15> Specify privilege level //Select a level ranging from 0 to 15 here. [USG5100-ui-vty0-4]user privilege level 15 //This command indicates setting the permission of the admin account to level 15.//

Configuring a MAC address-based ACL on the USG2000&5000&6000
1. Run the system-view command to access the system view. 2. Run the acl [ number ] acl-number command to create a MAC address-based ACL and access the ACL view. An ACL whose number ranges from 4000 to 4999 is a MAC address-based ACL. 3. (Optional) Run the description text command to configure a description for the ACL. Appropriate descriptions of ACLs help you to further manage the ACLs. 4. (Optional) Run the step step-value command to configure an ACL step. The default value is 5. After you set a step for the ACL, the system can automatically assign rule IDs if you do not specify the rule IDs. The automatically assigned rule IDs are multiple of the step in ascending order. The step allows you to insert rules between two rules. You can set a step for an ACL only when no rule is configured for the ACL. After you configure an ACL rule, you are not allowed to change the step. 5. Run the rule [ rule-id ] { permit | deny } [ cos cos | dest-mac destination-address destination-mac-wildcard | source-mac source-address source-mac-wildcard | type { type-code | type-name } ] * [ description description ] command to create a rule for the MAC address-based ACL. - If rule-id is not specified during the configuration, a new rule is added. In this case, the system automatically assigns a minimum number that is larger than the maximum number of the existing rule and integer times of the step to the new rule according to the step. For example, if the maximum number of the existing rule is 21 and the step is 5, the system assigns number 25 to the new rule. - If rule-id is specified and the related rule with the same ID exists, the existing rule is edited. If no related rule with the same ID exists, a new rule is added and inserted to the corresponding position according to its rule-id. - A new or modified rule should be different from any existing one; otherwise, the creation or modification fails and the system prompts you that the rule already exists.

Configuring a policy to restrict port access through the CLI of the USG2000&5000
On the CLI of the USG2000&5000 series, configure a security policy, set the condition to source port and the action to deny.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top