Overview

On occasion, it is necessary to block access of device management to all except a small group of approved administrators. 

Information

This can be done directly in the Exinda by creating a network object of IP addresses (or Active Directory usernames, if AD Integration is enabled) that are allowed to access the management interface and then apply that network object to the web and SSH interfaces through the CLI in order to restrict access to just those users/IPs.

1. Create a Network Object from the web interface under Configuration > Objects. These objects will be the ones for which the access to the Exinda will be granted.
2. Name the network object and then put in an IP of a single host or a subnet/network.
3. You can restrict access to the management interface to specific IPs or subnets (network object) using any of the supported access methods:
   • web http restrict <network object>
   • web https restrict <network object>
   • telnet-server restrict <network object>
   • ssh server restrict <network object>
   • snmp-server restrict <network object>

Any user that is not a part of that network object will not be able to access the web UI or SSH.

To revert any changes, the commands are as follows:

no web https restrict <NETWORK OBJECT NAME> 
no web http restrict <NETWORK OBJECT NAME> 
no ssh server restrict <NETWORK OBJECT NAME>

Example

Here is a sample that shows you how to execute these commands:

exinda-xxx > en
exinda-xxx # conf t
exinda-xxx (config) # web https restrict local

This command lets only the IP or subnets in the local object connect via https to the management interface.