If I understand the question correctly, you should be able to block access to the System Manager Web server with firewall rules in ONTAP itself.
Prior to ONTAP 9.5 (or so), these were called "Firewall Policies". On the CLI you use "system services firewall policy ...".
In newer releases they are termed "LIF Service Policies" and are accessed via "network interface service-policy ...".
Obviously those are configured per LIF. You would need to add a new policy for the admin and node vservers of the cluster.
Status of the firewall itself can be seen with "system services firewall show". I think by default it is normally on, but does not do any logging (thats's what I see here, on a ONTAP 9.7 system). It might be useful to enable logging for testing or longer term for analytics/correlation/intrusion detection.
Given the nature of your question, you may also want to think about how to limit access to the Service Processor, typically a physically separate piece of hardware, accessed via a URI ending in ".../spi/", which can give access to the system logs, for example. But I am not sure if that can also be done via this same mechanism ...
Hope this helps.