Change Management Port via CLI on USG/VPN/ATP devices

How to change WWW, SSH and Telnet ports via CLI command. 
This guide will cover the process of changing the management values for WWW, SSH and Telnet via CLI command.

WWW Values

The WWW management includes HTTP/HTTPS access to the appliance.  The commands examples below will explain how to change the management port, disable a specific protocol (HTTP and/or HTTPS) and allow access from certain IP’s.

  1. The command below changes the HTTP management port.
    • Router (config)# ip http port <1..65535>
    • Example: “ip http port 8080”, will change the http management port to 8080.
  2. The command below disables HTTP management.
    • Router (config)# no ip http server
  3. The command below limits HTTP management access to specific computers.
    • Router (config)# address-object object_name <IP_address>
    • Example: “address-object Admin_PC 192.168.1.201” will create the address object “Admin_PC” using a host address type with a value of 192.168.1.201.
      KB_Management_Port.png
    • Repeat the process to add other management machines.
    • Router (config)# ip http server table {admin|user} rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
    • Ex:  Router (config)# ip http server table admin rule insert 1 access-group Admin_PC zone LAN1 action accept
    • Repeat the process to add any additional admin devices.
    • Ex:  Router (config)# ip http server table admin rule insert 2 access-group ALL zone ALL action deny
    • First, create an address object for the computer IP that will be allowed access to the HTTP management.
    • Now we can create an “Admin Service Control” rule to limit login access over HTTP management.
    • Add a rule at the bottom to deny access from other devices.
    • Reboot the device, if needed, to close all currently open sessions.  If a session to the device exists from a node not in the service control list, this access will remain until session ends.  Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.
  4. The command below changes the HTTPS management port.
    • Router (config)# ip http secure-port <1..65535>
    • Example: “ip http secure-port 4443”, will change the https management port to 4443.
  5. The command below disables HTTPS management.
    • Router (config)# no ip http secure-server
  6. The command below limits HTTPS access to specific nodes.
    • Router (config)# ip http secure-server table {admin|user} rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
    • Ex:  Router (config)# ip http secure-server table admin rule insert 1 access-group Admin_PC zone LAN1 action accept
    • Add a rule at the bottom to deny access from other devices.
    • Ex:  Router (config)# ip http secure-server table admin rule insert 2 access-group ALL zone ALL action deny
    • Reboot the device, if needed, to close all currently open sessions.  If a session to the device exists from a node not in the service control list, this access will remain until session ends.  Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.
  7. View a printout of the status
    • HTTP management status use command “show ip http server status”.
      KB_Management_Port1.png
    • HTTPS management status use command “show ip http server secure status”.
      KB_Management_Port2.png

SSH Values

The SSH management option allows a user to make changes to the appliance using CLI commands.  By default, SSH works on TCP:22, but this can be changed to a different port.  Service control can also be configured to only allow authentication to SSH from certain nodes.  Below are the commands used to change the management port and set service control rules.

  1. Change the SSH service management port.
    • Router (config)# ip ssh server port <1..65535>
    • Example: “ip ssh server port 2223”, will change the SSH management port to 2223.
  2. The command below will disable SSH management capability.
    • Router (config)# no ip ssh server
  3. To limit the access to SSH management to certain nodes we will need to set up a service control rule using the following command.
    • Router (config)# ip ssh server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}
    • Ex:  Router (config)# ip ssh server rule insert 1 access-group Admin_PC zone LAN1 action accept
    • Add any additional service control rules
    • Ex:  Router (config)# ip ssh server rule insert 2 access-group ALL zone ALL action deny
    • First create an address object for the network device that will be used to manage the ZLD appliance via SSH.  Use the steps above for WWW Values > Step 3 to create the address object.
    • Add the service control rule(s).
    • Add a rule at the bottom to deny access from other devices.
    • Reboot the device, if needed, to close all currently open sessions.  If a session to the device exists from a node not in the service control list, this access will remain until session ends.  Rebooting the device closes all sessions so that only allowed nodes can manage the appliance.

Articles in this section

Was this article helpful?
3 out of 4 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.