12-05-2008 09:45 AM
I haven't been able to find anything regarding how customer can access their sys while restriction to only subnets. In hardware such as ssg140, you can assigned multiple "Permitted IPs" to allow certain to access the firewall. However, in the 5400 under the vsys, there is no such option. Basically, customer want me to restrict access to their "firewall" only from a particular IP address.
Thanks for your help and time.
12-05-2008 12:46 PM
Unfortunately, the only way is to restrict the admin manager-ips at the root vsys as it is a global command. I don't think this can be done at the vsys level.
12-08-2008 07:38 AM
Administrators of Virtual Systems can do the following:
Only the root and write/read administrator from a root system can:
• Create a virtual system and assign physical or logical interfaces to them
• Perform the same administration tasks as a Virtual System write/read administrator
A write/read Virtual System administrator can:
• Create and edit auth, IKE, L2TP, XAuth, and Manual Key users
• Create and edit services (user defined services only)
• Create and edit policies
• Create and edit addresses
• Create and edit VPNs
• Modify the virtual system administrator login password
• Create and manage security zones
• Add and remove virtual system read-only administrators
The vsys will also inherit all predefined services from the root system.
Hope this helps,
12-09-2008 09:28 AM
Thanks everyone for your input. It was strange. When I first went to the Vsys and try to use the command "set manager-ip ..." it gave me error something to the fact that the manager-ip can only be on the same subnet or something. But now it takes it fine and I am able to restrict access so only customer can login to their own vsys to manage it. But note that the set manager-ip takes ONLY one range. If you try to put in another range, it will overwrite the old address, a fact I had to find out the hard way and drive to another city to fix.
Definitely strange how Juniper has it set up.