Hi there

 

I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface…

I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24

I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy.

But… I am still able to ssh into the system from 10.10.10.0/24…  which makes no sense at all…

If I do the same to the management-https it _does_ work as expected…

 

The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )

 

So it there something specific about ssh?

(ONTAP 9.12.1)

 

Personally I think the “firewall” features are a mess on ONTAP at the moment…   also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess?  Why not just allow specific IP or even ranges..  like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24

 

Any help or input is appreciated 😊

 

/H