This guide will cover the process of changing the management port values for WWW, SSH and Telnet via CLI command.
Supported Devices
ZyWALL 110
ZyWALL 310
ZyWALL 1100
USG40/40W
USG60/60W
USG110
USG210
USG310
USG1100
USG1900
USG20-VPN
USG20W-VPN
USG2200-VPN
WWW Values
The WWW management includes HTTP/HTTPS access to the appliance. The commands examples below will explain how to change the management port, disable a specific protocol (HTTP and/or HTTPS) and allow access from certain IP’s.
- The command below changes the HTTP management port.
- Router (config)# ip http port <1..65535>
- Example: “ip http port 8080”, will change the http management port to 8080.
- The command below disables HTTP management.
- Router (config)# no ip http server
- The command below limits HTTP management access to specific computers.
- First, create an address object for the computer IP that will be allowed access to the HTTP management.
- Router (config)# address-object object_name <IP_address>
- Example: “address-object Admin_PC 192.168.1.201” will create the address object “Admin_PC” using a host address type with a value of 192.168.1.201.
- Repeat the process to add other management machines.
- Now we can create an “Admin Service Control” rule to limit login access over HTTP management.
- Router (config)# ip http server table {admin|user} rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
- Ex: Router (config)# ip http server table admin rule insert 1 access-group Admin_PC zone LAN1 action accept
- Repeat the process to add any additional admin devices.
- Add a rule at the bottom to deny access from other devices.
- Ex: Router (config)# ip http server table admin rule insert 2 access-group ALL zone ALL action deny
- Reboot the device, if needed, to close all currently open sessions. If a session to the device exists from a node not in the service control list, this access will remain until session ends. Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.
- The command below changes the HTTPS management port.
- Router (config)# ip http secure-port <1..65535>
- Example: “ip http secure-port 4443”, will change the https management port to 4443.
- The command below disables HTTPS management.
- Router (config)# no ip http secure-server
- The command below limits HTTPS access to specific nodes.
- Router (config)# ip http secure-server table {admin|user} rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
- Ex: Router (config)# ip http secure-server table admin rule insert 1 access-group Admin_PC zone LAN1 action accept
- Add a rule at the bottom to deny access from other devices.
- Ex: Router (config)# ip http secure-server table admin rule insert 2 access-group ALL zone ALL action deny
- Reboot the device, if needed, to close all currently open sessions. If a session to the device exists from a node not in the service control list, this access will remain until session ends. Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.
- View a printout of the status
- HTTP management status use command “show ip http server status”.
- HTTPS management status use command “show ip http server secure status”.
SSH Values
The SSH management option allows a user to make changes to the appliance using CLI commands. By default, SSH works on TCP:22, but this can be changed to a different port. Service control can also be configured to only allow authentication to SSH from certain nodes. Below are the commands used to change the management port and set service control rules.
- Change the SSH service management port.
- Router (config)# ip ssh server port <1..65535>
- Example: “ip ssh server port 2223”, will change the SSH management port to 2223.
- The command below will disable SSH management capability.
- Router (config)# no ip ssh server
- To limit the access to SSH management to certain nodes we will need to set up a service control rule using the following command.
- First create an address object for the network device that will be used to manage the ZLD appliance via SSH. Use the steps above for WWW Values > Step 3 to create the address object.
- Add the service control rule(s).
- Router (config)# ip ssh server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
- Ex: Router (config)# ip ssh server rule insert 1 access-group Admin_PC zone LAN1 action accept
- Add any additional service control rules
- Add a rule at the bottom to deny access from other devices.
- Ex: Router (config)# ip ssh server rule insert 2 access-group ALL zone ALL action deny
- Reboot the device, if needed, to close all currently open sessions. If a session to the device exists from a node not in the service control list, this access will remain until session ends. Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.
Comments
0 comments
Please sign in to leave a comment.