Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 6339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Admin access from different zones

Greg Oliver

Hi,

 

I am *finally* getting around to putting this firewall into production @ my house.  I have a question regarding access to the Admin interfaces from separate zones.  I have provisioned all of my network gear forever with a completely separate subnet for admin access (which is the most common practice out there).  This makes it simplistic to manage access with lists, etc..  You'll find the majority of the internet provisioned this way.

 

I have a MGMT zone and other zones as well.  I have granted another zone access to the MGMT zone, but I still cannot reach the Admin interface unless I also give Admin interface access to the originating zone.  This allow the originating zone Admin access on the MGMT zone as well as the originating zone's IP address too though.  I have created more detailed firewall rules to block other devices in the originating zone to not be able to get to the Admin interface on it's own router interface, but this seems very counter-intuitive to me.

 

Is there a way to just allow Admin access to the host group in another zone without also allowing Admin access on the other zone's interface?

 

Thanks,

 

Greg



This thread was automatically locked due to age.
Parents
  • 0

    WebAdmin access is configured under Administration > Device Access. You have to tick the HTTPS column on a specific zone you want access to.

  • 0 in reply to Jevin Lizardo

    Yes, I did that to make it work, but it is not how I want it to work.

     

    eg:

     

    ZONE1 10.0.1.1/24

    ZONE2 10.0.2.1/24

    ZONE3 10.0.3.1/24

     

    ZONE1 is my network's MGMT network - all equiment listens on that network only for MGMT tasks

    ZONE2 is regular users

    ZONE3 is my admin computers

     

    I want to enable Admin access (on only 10.0.1.1) available to 10.0.3.100

     

    In order to make this work, I also have to enable Admin HTTPS and SSH on the ZONE3 interface.  Without that, I cannot reach 10.0.1.1 for admin.  This has the side effect of also allowing 10.0.3.1 to answer for Admin access (which I do not want).

     

    Is that possible?

     

    Thanks for the reply -

     

    Greg

  • 0 in reply to Greg Oliver

    I don't think this is possible by default as the Device Access page handles all the connection to the XG itself and firewall rules has no bearing in that.

    You basically need another firewall/router in between to be able to do this.

Reply Children