Re: ONTAP System Manager IP Limiting

JamieTalbot · ‎2020-12-02

Hi,

I am wondering if it is possible to block all access to the NetApp ONTAP System Manager web console on port 80/443 unless you have a specific IP address?

I want to only allow staff within our IT department to be able to connect to the web console and only from their own computers with fixed IP addresses.

Best Regards

Jamie

WAFLHERDER · ‎2020-12-02

Hi Jamie,

If I understand the question correctly, you should be able to block access to the System Manager Web server with firewall rules in ONTAP itself.

Prior to ONTAP 9.5 (or so), these were called "Firewall Policies". On the CLI you use "system services firewall policy ...".

In newer releases they are termed "LIF Service Policies" and are accessed via "network interface service-policy ...".

Obviously those are configured per LIF. You would need to add a new policy for the admin and node vservers of the cluster.

Status of the firewall itself can be seen with "system services firewall show". I think by default it is normally on, but does not do any logging (thats's what I see here, on a ONTAP 9.7 system). It might be useful to enable logging for testing or longer term for analytics/correlation/intrusion detection.

Given the nature of your question, you may also want to think about how to limit access to the Service Processor, typically a physically separate piece of hardware, accessed via a URI ending in ".../spi/", which can give access to the system logs, for example. But I am not sure if that can also be done via this same mechanism ...

Hope this helps.

Cheers,

Robb.

Mjizzini · ‎2020-12-15

One idea will be to separate the management from data network. you can create a management vlan for them.