Creating the Access List

You can create the network access list either via the Network Access page in the GUI or the adminaccessconfig > ipaccess CLI command. The following figure shows the Network Access page with a list of user IP addresses that are allowed to connect directly to the Security Management appliance.

The following settings are applicable for the legacy web interface and the new web interface of the appliance.

Example Network Access Settings


AsyncOS offers four different modes of control for the access list:

  • Allow All. This mode allows all connections to the appliance. This is the default mode of operation.

  • Only Allow Specific Connections. This mode allows a user to connection to the appliance if the user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.

  • Only Allow Specific Connections Through Proxy. This mode allows a user to connect to the appliance through a reverse proxy if the following conditions are met:

    • The connecting proxy’s IP address is included in the access list’s IP Address of Proxy Server field.
    • The proxy includes the x-forwarded-header HTTP header in its connection request.
    • The value of x-forwarded-header is not empty.
    • The remote user’s IP address is included in x-forwarded-header and it matches the IP addresses, IP ranges, or CIDR ranges defined for users in the access list.
  • Only Allow Specific Connections Directly or Through Proxy. This mode allows users to connect through a reverse proxy or directly to the appliance if their IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list. The conditions for connecting through a proxy are the same as in the Only Allow Specific Connections Through Proxy mode.

Please be aware that you may lose access to the appliance after submitting and committing your changes if one of the following conditions is true:

  • If you select Only Allow Specific Connections and do not include the IP address of your current machine in the list.
  • If you select Only Allow Specific Connections Through Proxy and the IP address of the proxy currently connected to the appliance is not in the proxy list and the value of the Origin IP header is not in the list of allowed IP addresses.
  • If you select Only Allow Specific Connections Directly or Through Proxy and

    • the value of the Origin IP header is not in the list of allowed IP addresses

      OR

    • the value of the Origin IP header is not in the list of allowed IP Addresses and the IP address of the proxy connected to the appliance is not in the list of allowed proxies.

If you choose to continue without correcting the access list, AsyncOS will disconnect your machine or proxy from the appliance when you commit your changes.

Procedure

Step 1

[New Web Interface Only] On the Security Management appliance, click to load the legacy web interface.

Step 2

Choose System Administration > Network Access.

Step 3

Click Edit Settings.

Step 4

Select the mode of control for the access list.

Step 5

Enter the IP addresses from which users will be allowed to connect to the appliance.

You can enter an IP address, IP address range or CIDR range. Use commas to separate multiple entries.

Step 6

If connecting through a proxy is allowed, enter the following information:

  • The IP addresses of the proxies allowed to connect to the appliance. Use commas to separate multiple entries.

  • The name of the origin IP header that the proxy sends to the appliance, which contains the IP addresses of the remote user’s machine and the proxy servers that forwarded the request. By default, the name of the header is x-forwarded-for .

Step 7

Submit and commit your changes.