Configure Management Access

By default, you can reach the device's management address from any IP address. System access is protected by username and password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.

You can also open data interfaces to allow an FDM-managed device or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username and password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface, but it's disabled on the outside interface. For device models that have a default "inside" bridge group, this means that you can make FDM-managed device connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.1.1). You can open a management connection only on the interface through which you enter the device.

Caution

If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there's no entry for "any" address, you'll lose access to the system when you deploy the policy. Be mindful of this when configuring the access list.