Restricting access to NG Firewall's admin GUI


There are two methods to restrict access to your NG Firewall's admin GUI login page.

Using Access Rules

Access Rules govern access to the NGFW itself. They are found by navigating to Config > Network > Advanced > Access Rules.

The rule "Allow HTTPS on WANs" (usually rule #2) determines whether the NGFW will respond to requests on port 443. This rule is disabled by default, disallowing external users from accessing the admin GUI login page. 

You can enable the "Block" check-box if you like, but this is not necessary.

You can allow a specific external IP address(es) to access the GUI by creating a new access rule above the "Allow HTTPS on WANs" rule. Copy all the conditions from that rule, then add the condition Source Address is to lock down access to only the specified IP address:


Note for bridged interfaces

A bridged interface takes on the characteristics of its parent, which includes the "is WAN" attribute. If your NGFW has its LAN interface(s) bridged to an WAN interface, disabling this rule may also prevent internal hosts from loading the GUI login page. You can circumvent this by creating a new Access Rule, placed above "Allow HTTPS on WANs", which specifies that traffic from a particular IP or subnet is allowed to access the NGFW on port 443:


Using Administration options

There are two options found in Config > Administration > Admin that can also restrict access to the admin GUI logon page.


Allow HTTP Administration determines whether the NGFW will load its admin GUI page on HTTP/port 80 connections. If this is disabled and a user attempts to reach http://NGFW_IP_address, they will receive a message indicating that HTTP administration is disabled.

Restrict Administration Subnet(s) enables the admin to specify a subnet which is allowed to load the admin GUI. Traffic arriving from the listed subnet will reach the GUI login page; traffic arriving from any other subnet will receive only a message indicating that administration is disabled.

You can specify a single IP address if you like, using the CIDR notator /32: entering in this field will allow only to the GUI login page. Any other IP address would be denied access.

Was this article helpful?
2 out of 8 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk