ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
New User
Posts: 2
Registered: ‎12-05-2008
0 Kudos

Netscreen 5400 Vsys Access

Hi Everyone:


I haven't been able to find anything regarding how customer can access their sys while restriction to only subnets.  In hardware such as ssg140, you can assigned multiple "Permitted IPs" to allow certain to access the firewall.  However, in the 5400 under the vsys, there is no such option.  Basically, customer want me to restrict access to their "firewall" only from a particular IP address.


Thanks for your help and time.

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: Netscreen 5400 Vsys Access



Unfortunately, the only way is to restrict the admin manager-ips at the root vsys as it is a global command. I don't think this can be done at the vsys level.





****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Contributor
Posts: 279
Registered: ‎07-14-2008
0 Kudos

Re: Netscreen 5400 Vsys Access



Administrators of Virtual Systems can do the following:


                                        Only the root and write/read administrator from a root system can:


• Create a virtual system and assign physical or logical interfaces to them


• Perform the same administration tasks as a Virtual System write/read administrator


A write/read Virtual System administrator can:



• Create and edit auth, IKE, L2TP, XAuth, and Manual Key users


• Create and edit services (user defined services only)


• Create and edit policies


• Create and edit addresses


• Create and edit VPNs


• Modify the virtual system administrator login password


• Create and manage security zones


• Add and remove virtual system read-only administrators

The vsys will also inherit all predefined services from the root system.


Hope this helps,



Posts: 18
Registered: ‎10-06-2008
0 Kudos

Re: Netscreen 5400 Vsys Access

This might be corrected with a code upgrade?






New User
Posts: 2
Registered: ‎12-05-2008
0 Kudos

Re: Netscreen 5400 Vsys Access

Thanks everyone for your input.  It was strange.  When I first went to the Vsys and try to use the command "set manager-ip ..." it gave me error something to the fact that the manager-ip can only be on the same subnet or something.   But now it takes it fine and I am able to restrict access so only customer can login to their own vsys to manage it.  But note that the set manager-ip takes ONLY one range.  If you try to put in another range, it will overwrite the old address, a fact I had to find out the hard way and drive to another city to fix.


Definitely strange how Juniper has it set up.