Management Plane Protection
Protect the Management Server Behind a Firewall
Recommendation: Deploy the Security Management Server behind a firewall or protected network segment and restrict inbound access to required administrative sources only.
The Management Server controls policy installation, trust relationships (SIC), and administrator access. Segmentation reduces exposure and blast radius.
|
Item |
Default (Typical) |
Recommended |
|---|---|---|
|
Management server exposure |
Environment specific |
Limit access to admin networks / jump hosts and required Security Gateways only. |
|
Dedicated management network |
Environment specific |
Use a dedicated management VLAN / subnet where possible. |
Example allowed sources: Admin jump hosts, Security Gateways / Clusters (for SIC/policy/logs), and dedicated log servers (if used).
Restrict Administrative Source IP Addresses
Recommendation: Restrict SmartConsole / WebUI / SSH / API access to specific internal IP ranges or jump hosts.
Network-level restrictions stop broad scanning and brute force attempts before authentication is attempted.
|
Item |
Default (Typical) |
Recommended |
|---|---|---|
|
Admin source restriction |
Environment specific |
Restricted to admin jump hosts / administrator subnets only. |
|
Direct Internet admin access |
Environment specific |
Avoid. Require VPN. |
We recommend using Web SmartConsole to access the Management Server, as it only requires access to the TCP port 443.
The Desktop SmartConsole application needs access to these ports on the Management Server:
-
TCP 18190
-
TCP 18264
-
TCP 19009
A complete list of ports used is listed in sk52421.
Implementation reference:
R82.10 Installation and Upgrade Guide > Installing SmartConsole.