topic Re: Management Access - Time Limit in Spark Firewall (SMB)

Management Access - Time Limit

smith-it — Sat, 10 May 2025 07:12:29 GMT

Hello,

i have a Spark 1500 , and would like to limit access to Management GUI/SSH to working hours only.

I tried an ACE with any > Internal IP of GW > Any > Block > 5pm to 8am

But its not working. Any suggestion? I guess Management access is on another level/Blade ?

Re: Management Access - Time Limit

PhoneBoy — Mon, 12 May 2025 17:03:16 GMT

Is your Access Policy set to “strict”?
This is done via Access Policy > Firewall > Blade Control.

Re: Management Access - Time Limit

the_rock — Mon, 12 May 2025 19:04:27 GMT

What do you see in the policy as to why its allowed? I thought it could be done from below (screenshot attached), but guess not, needs a policy.

Andy

Re: Management Access - Time Limit

smith-it — Mon, 12 May 2025 20:13:58 GMT

It is set to Standard

Re: Management Access - Time Limit

smith-it — Mon, 12 May 2025 20:23:32 GMT

Well, the Screeshot only defines the Management Access itself, but there is no option of limiting to a certain time. Access Policy Control ist Set to Standard. I attached the Policy i tried. (I also tried "Allow https to THIS_GATEWAY at workinghours, but another rule after, that denies it .)

Re: Management Access - Time Limit

the_rock — Mon, 12 May 2025 20:47:22 GMT

That looks right to me, but will check in the lab later. Do you even see a single log on that rule?

Andy

Re: Management Access - Time Limit

the_rock — Mon, 12 May 2025 21:28:48 GMT

Thinking about this, question...what IP is the source? I mean, dont tell me the actual IP, just first octet of the range. I ask, because UNLESS that macbook is external IP, rule definitely wont work in your case, specially if you want to limit them when they are outside the office.

Andy

Re: Management Access - Time Limit

PhoneBoy — Mon, 12 May 2025 22:21:59 GMT

For such a rule to work, it needs to be set to Strict.
This also means some additional explicit rules may need to be configured (e.g. for Outbound Internet access).

Re: Management Access - Time Limit

smith-it — Wed, 14 May 2025 06:36:53 GMT

I changed to Strict > No difference

Macbook has an IP from the local Network.

It seems Local Access to the WebGui does not Hit the Access Policy. I see no "Allowed by Rule x" for the WebGui.

I know from Other Vendors that Access to Management Blade with Time restrictions could not be configured by GUI, but only by CLI.

Re: Management Access - Time Limit

G_W_Albrecht — Wed, 14 May 2025 07:36:49 GMT

Try to set:

set fw policy advanced-settings log-implied-rules true

Should show the used implied rule in logs. Implied Rules on SMB include:

Accept Web and SSH connections for Gateway's administration (Small Office Appliance)	Accepts Web and SSH connections to the Quantum Spark / SMB appliances.
Accept incoming traffic to DHCP and DNS services of gateways (Small Office Appliance)	Accepts the IPv4 DHCP server, DHCP relay, and DNS proxy connections to the Quantum Spark / SMB appliances.

(sk179346)

Implied Rules should be disabled by Strict Mode, so your rule should work as expected !

Re: Management Access - Time Limit

smith-it — Wed, 14 May 2025 08:04:15 GMT

Now I can see the logs. Access to WebGui is allowed by Rule 0. So it doesnt Hit my manualy configured Rules.

The FW is set to STRICT, and yet i see Rule 0. Does that not contradict the statement: Implied Rules should be disabled by Strict Mode, ?

Re: Management Access - Time Limit

smith-it — Wed, 14 May 2025 08:21:23 GMT

I changed it to strict. Still not working. See my further Answers below

Re: Management Access - Time Limit

G_W_Albrecht — Wed, 14 May 2025 09:22:57 GMT

Open SR# with CP TAC - should not be that way...

Re: Management Access - Time Limit

PhoneBoy — Wed, 14 May 2025 14:48:12 GMT

If you're getting accepts on Rule 0, the connection is being allowed through implied rules.
My understanding is that Strict should disable these, but perhaps that behavior has changed.
In any case, TAC will be necessary here.