Configuring TPS Management Port Access with ip-filter

Product / Version includes:

TippingPoint TX-Series All , TippingPoint TXE-Series All

Last updated: 2025/09/17

Solution ID: KA-0020391

Category: Configure

Summary

This article provides examples and important considerations for configuring access control to the TippingPoint TPS (Threat Protection System) management port using the ip-filter command.

Configuring Access to TippingPoint TPS Management Port Using ip-filter Command

Overview

This article provides examples and important considerations for configuring access control to the TippingPoint TPS (Threat Protection System) management port using the ip-filter command.

Prerequisites

⚠️ Important: Commands must be performed with the device unmanaged from TippingPoint SMS (Security Management System).

To unmanage the device: Login via CLI with appropriate permissions and use command sms unmanage
To reactivate SMS management when done: Use sms manage (assuming new configuration doesn't restrict SMS access)
Recommended: Make changes via console connection rather than SSH to avoid potential lockout if ip-filter is misconfigured

Default Configuration

By default, the TPS management port allows all IP addresses. View current configuration with:

display conf running interface mgmt

Example output:

MYTPS{}display conf running interface mgmt 
# MGMT INTERFACE STATEMENTS 
description "Management interface" 
ipaddress XXX.XXX.XXX.XXX/YY 
# HOST SETTINGS 
host name "MYTPS" 
host location "In high orbit around Saturn" 
# STATIC ROUTES 
route 0.0.0.0/0 XXX.XXX.XXX.XXX 
# IP FILTERS 
ip-filter allow default

Understanding ip-filter vs sms-allowed-ip

ip-filter

General access control list for IP connectivity to the management port
Some granular control with SSH, HTTPS, ICMP and SNMP options

sms-allowed-ip

Specifically controls which IP or IPs an SMS could be configured with in order to manage the device
View with: display conf running gen

Example sms-allowed-ip configuration:

MYTPS{}display conf running gen
# GEN STATEMENT
timezone US Central
ssh enable
lsm disable (<-- LSM disabled by default, no longer being developed)
https enable tls 
TLSv1.0 disable tls
TLSv1.1 disable tls
TLSv1.2 enable tls
TLSv1.3 enable
sms-allowed-ip all
# HOST
host localhost 127.0.0.1

Configuration Commands

Accessing ip-filter Configuration

You cannot modify the TPS configuration while it is managed by an SMS so you will need to unmanage the TPS from the SMS.

MYTPS{}sms unmanage
MYTPS{}edit 
MYTPS{running}interface mgmt

Available ip-filter Options

MYTPS{running-mgmt}ip-filter
Valid entries at this position are:
allow Allow IPv4/IPv6 rule
deny Deny IPv4/IPv6 rule
MYTPS{running-mgmt}ip-filter allow Valid entries at this position are:
default Default rule
https allow/deny HTTPS (This will affect SMS which uses HTTPS)
ssh allow/deny SSH
icmp allow/deny ICMP/ICMPv6
snmp allow/deny SNMP
ip IP address

Configuration Examples

Adding Allowed IP Addresses

To allow specific IPs (1.1.1.1 and 2.2.2.0/24 network):

MYTPS{running-mgmt}ip-filter allow ip 1.1.1.1 
MYTPS{running-mgmt}ip-filter allow ip 2.2.2.0/24 
MYTPS{running-mgmt}exit
MYTPS{running}commit
MYTPS{running}exit

Result:

MYTPS{}display conf running interface mgmt 
# MGMT INTERFACE STATEMENTS 
description "Management interface" 
ipaddress XXX.XXX.XXX.XXX/YY 
# HOST SETTINGS 
host name "MYTPS" 
host location "In high orbit around Saturn" 
# STATIC ROUTES 
route 0.0.0.0/0 XXX.XXX.XXX.XXX 
# IP FILTERS 
ip-filter allow default 
ip-filter allow ip 1.1.1.1/32 
ip-filter allow ip 2.2.2.0/24

Note:

The default allow rule remains unchanged
Single IPs automatically get /32 notation
Access from other IPs is still permitted until default is changed to deny

Changing Default to Deny

⚠️ Warning: Only do this after securing access via console or valid allow rule!

MYTPS{}edit 
MYTPS{running}int mgmt 
MYTPS{running-mgmt}ip-filter deny default 
MYTPS{running-mgmt}exit 
MYTPS{running}commit 
MYTPS{running}exit

Deleting and Modifying Rules

To correct a mistake (changing 2.2.2.0/24 to 3.3.3.0/24):

MYTPS{}edit 
MYTPS{running}int mgmt 
YTPS{running-mgmt}delete ip-filter allow ip 2.2.2.0/24 
MYTPS{running-mgmt}ip-filter allow ip 3.3.3.0/24 
MYTPS{running-mgmt}exit 
MYTPS{running}commit 
MYTPS{running}exit

Final result:

# IP FILTERS 
ip-filter deny default 
ip-filter allow ip 1.1.1.1/32 
ip-filter allow ip 3.3.3.0/24

Important Notes

SMS Management Access

Ensure your SMS management IP is allowed by ip-filter! Even if the IP is in the sms-allowed-ip list, it must also be permitted by ip-filter for SMS communication.

Configuration Persistence

⚠️ Critical: The commit command only saves to running configuration. To persist through reboots:

MYTPS{}save-config 
WARNING: Saving will apply the current running configuration at next system start. Continue (y/n)? [n]: y

Key Differences from Previous Behavior

Adding filters no longer automatically sets default to deny. You will want to verify either way using 'display conf running int mgmt' to be certain.
You must explicitly configure ip-filter deny default
The default rule cannot be deleted, only changed between allow/deny
Changes must be committed and saved to startup configuration for persistence

Was this article helpful?