Configuring administrative access

On Kaspersky NGFW devices and in network templates, you can specify the protocols (SSHv2, ICMP, and SNMP) and IP addresses that are allowed for access to administrative functions on the interfaces. This helps improve protection against unauthorized access.

Allowing access to the interface for administrative protocols makes the interface available for network connections from the outside, including scanning attempts. By default, all incoming connections to interfaces are denied. Access should be allowed only when necessary and only from trusted subnets.

Configuring restricted access to administrative functions is available for all interfaces with the role of a dedicated management port or data plane port that have an IP address configured. By default, interfaces with the dedicated management port role are accessible via SSHv2, ICMP, and SNMP from any subnets. Configuring access restriction is not available for L2 interfaces.

To restrict access to administrative functions:

  1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
  2. Proceed to configure administrative access on the interface in one of the following ways:
    • If you want to configure administrative access on an interface in a network template, in the menu, select the Network templates tab, click the network template, and select the Interfaces section.
    • If you want to configure administrative access on an interface on a device, select the Devices tab in the menu, click a device, and select the Interfaces section.

    The table of network interfaces is displayed.

  3. Do one of the following:
    • If you want to create a new interface and configure administrative access on it, click Create in the upper workspace.
    • If you want to configure administrative access on an existing interface, select the relevant interface in the table and click its name, or click Edit in the upper workspace.
  4. If you change the network interface in the network template, enable Override toggle switch.
  5. This opens a window; in that window, select the Administrative access tab. The tab is not available when None is selected as the protocol.
  6. Select the protocols to be allowed for administrative access to the interface: SSHv2, ICMP, and SNMP.
  7. If necessary, under Allowed subnets click Add and enter an IPv4 address with a subnet from which you want to allow administrative access.

    You can add up to 20 IPv4 addresses with subnets. Subnets can overlap.

    If the list of allowed subnets is empty, access to administrative functions is allowed from all IP addresses.

    Allowing access to the interface for administrative protocols (SSH, ICMP, SNMP) makes the interface available for network connections from the outside, including scanning attempts. By default, all incoming connections to interfaces are denied. Access should be allowed only when necessary and only from trusted subnets.

  8. Click Save to save your changes for the interface.

Access restrictions apply only to new sessions. Sessions started before the restrictions were applied are not terminated.

Page top