Allowing WAN Primary IP Access from the LAN Zone
By creating an access rule, it is possible to allow access to a management IP address in one zone from a different zone on the same firewall. For example, you can allow HTTP/HTTPS management or ping to the WAN IP address from the LAN side. To do this, you must create an access rule to allow the relevant service between the zones, giving one or more explicit management IP addresses as the destination. Alternatively, you can provide an address group that includes single or multiple management addresses (such as WAN Primary IP, All WAN IP, All X1 Management IP) as the destination. This type of rule allows the HTTP Management, HTTPS Management, SSH Management, Ping, and SNMP services between zones.
Access rules can only be set for inter-zone management. Intra-zone management is controlled per-interface by settings in the interface configuration.
To create a rule that allows access to the WAN Primary IP from the LAN zone
- Navigate to POLICY | Rules and Policies > Access Rules.
- Click the Zone Matrix Selector icon to display the LAN > WAN access rules.
- Click +Add to launch the Adding Rule dialog.
- Select Allow from the Action settings.
Select one of the following services from the Source Port/Services menu:
- SSH Management
- Select Any from the Source Address menu.
Select an address group or address object containing one or more explicit WAN IP addresses from the Destination menu.
Do not select an address group or object representing a subnet, such as WAN Primary Subnet. This would allow access to devices on the WAN subnet (already allowed by default), but not to the WAN management IP address.
Select the user or group to have access from the User Include menu on the User & TCP/UDP tab.
Select a schedule from the Schedule menu.
Enter any comments in the Description field.
- Click Add.
Was This Article Helpful?
Help us to improve our support portal