Re: OnTap 9 trusted hosts

chinchillaking · ‎2019-12-16

Hi,

In 7Mode, System Manager could setup trusted hosts allow specific ip address for adminitration. But OnTap 9, I cannot found setup trusted hosts in System Manager, I also try modify firewall policy mgmt allow specific ip address access mgmt http, https and ssh, the cluster management LIF also apply mgmt firewall policy, but another IP still could access and login, any idea?

Best regards,

Chung

Ontapforrum · ‎2019-12-16

Hi,

trusted host is not supported on cDOT, instead it relies on the firewall & export policy.

Could you share the output:
::> system services firewall policy show

Configuring firewall service and policies for LIFs & Commands for managing firewall service and policies:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-09329781-2E57-49E5-B052-EC4D6FEBB41B.html

Thanks!

chinchillaking · ‎2019-12-19

Hi,

I know what is going on, it should be define "full subnet mask".

If IP is 192.168.2.1, firewall should define 192.168.2.1/32 and not the 192.168.2.1/24.

Best regards,

Chung

Ontapforrum · ‎2019-12-20

Thanks for the update. I get your question now.

What you have done is : Created 'Individual Host route' by using /32, just single host.

Thanks!

chinchillaking · ‎2019-12-20

Hi,

Define policy as below.

cmode95::> system services firewall policy show -vserver cmode95 -policy mgmt
Vserver Policy Service Allowed
------- ------------ ---------- -------------------
cmode95
mgmt
dns 0.0.0.0/0
http 192.168.2.1/32
https 192.168.2.1/32
ndmp 0.0.0.0/0
ndmps 0.0.0.0/0
ntp 0.0.0.0/0
snmp 0.0.0.0/0
ssh 192.168.2.1/32
8 entries were displayed.

Best regards,

Chung

Ontapforrum · ‎2019-12-20

Looks good. Well done.

OnTap 9 trusted hosts

I2A Registration is Open!