Management Access - Time Limit

smith-it · ‎2025-05-10

Hello,

i have a Spark 1500 , and would like to limit access to Management GUI/SSH to working hours only.

I tried an ACE with any > Internal IP of GW > Any > Block > 5pm to 8am

But its not working. Any suggestion? I guess Management access is on another level/Blade ?

PhoneBoy · ‎2025-05-12

Is your Access Policy set to “strict”?
This is done via Access Policy > Firewall > Blade Control.

smith-it · ‎2025-05-12

It is set to Standard

PhoneBoy · ‎2025-05-12

For such a rule to work, it needs to be set to Strict.
This also means some additional explicit rules may need to be configured (e.g. for Outbound Internet access).

smith-it · ‎2025-05-14

I changed it to strict. Still not working. See my further Answers below

the_rock · ‎2025-05-12

What do you see in the policy as to why its allowed? I thought it could be done from below (screenshot attached), but guess not, needs a policy.

Andy

smith-it · ‎2025-05-12

Well, the Screeshot only defines the Management Access itself, but there is no option of limiting to a certain time. Access Policy Control ist Set to Standard. I attached the Policy i tried. (I also tried "Allow https to THIS_GATEWAY at workinghours, but another rule after, that denies it .)

the_rock · ‎2025-05-12

That looks right to me, but will check in the lab later. Do you even see a single log on that rule?

Andy

the_rock · ‎2025-05-12

Thinking about this, question...what IP is the source? I mean, dont tell me the actual IP, just first octet of the range. I ask, because UNLESS that macbook is external IP, rule definitely wont work in your case, specially if you want to limit them when they are outside the office.

Andy

smith-it · ‎2025-05-13

I changed to Strict > No difference

Macbook has an IP from the local Network.

It seems Local Access to the WebGui does not Hit the Access Policy. I see no "Allowed by Rule x" for the WebGui.

I know from Other Vendors that Access to Management Blade with Time restrictions could not be configured by GUI, but only by CLI.

G_W_Albrecht · ‎2025-05-14

Try to set:

set fw policy advanced-settings log-implied-rules true

Should show the used implied rule in logs. Implied Rules on SMB include:

Accept Web and SSH connections for Gateway's administration (Small Office Appliance)	Accepts Web and SSH connections to the Quantum Spark / SMB appliances.
Accept incoming traffic to DHCP and DNS services of gateways (Small Office Appliance)	Accepts the IPv4 DHCP server, DHCP relay, and DNS proxy connections to the Quantum Spark / SMB appliances.

(sk179346)

Implied Rules should be disabled by Strict Mode, so your rule should work as expected !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

smith-it · ‎2025-05-14

Now I can see the logs. Access to WebGui is allowed by Rule 0. So it doesnt Hit my manualy configured Rules.

The FW is set to STRICT, and yet i see Rule 0. Does that not contradict the statement: Implied Rules should be disabled by Strict Mode, ?

G_W_Albrecht · ‎2025-05-14

Open SR# with CP TAC - should not be that way...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2025-05-14

If you're getting accepts on Rule 0, the connection is being allowed through implied rules.
My understanding is that Strict should disable these, but perhaps that behavior has changed.
In any case, TAC will be necessary here.

Are you a member of CheckMates?

Management Access - Time Limit