Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What are the best practices when configuring the TPS management port?

    • Updated:
    • 17 Jul 2017
    • Product/Version:
    • Platform:
Summary
Best practices when configuring the TPS management port.
Details
Public
TippingPoint recommends configuring the management port on the TPS to use a non-routed IP address from the RFC-1918 Private Address space. This helps to prevent direct attack on the management port from the Internet. Additionally, the management port IP Address filter feature should be used to limit access to the management port. Only addresses defined by the command will be allowed to access the TPS. Host IP filters are essentially ACLs on the management port of the TPS.

When the TPS is initially configured, the default security policy is set to permit any. Once you establish a host IP filter, whether it is a permit or deny, then the default IP filter becomes deny any, the old legal idea of the inclusion of one is to the exclusion of all others). If you are doing this via SSH (not the console), the first thing you must do is a permit rule for the IP address you are on or you will deny your IP access to the management port inadvertently.

“Management interface under attack” This message appears when too much of the traffic sent to the management port wasn't meant for the management IP address - too much broadcast traffic for instance.

Note: The TPS must not be under SMS control when doing this. If the device is currently managed, you may use the CLI command “sms unmanage” to temporarily unmanage the TPS. To resume SMS management, use the CLI command “sms manage”. In addition you must be in the management interface context. At the root command enter “edit” and then “interface mgmt”. After making changes enter “commit” to commit the changes to the running config and “save-config” to update the start-up config.

You can use the following CLI commands to configure the management port:
ip-filter (allow|deny) (https|icmp|snmp|ssh|ip) [ip]

For example, issue the following command to limit management port access to one host:

ips {running-mgmt} ip-filter allow ip 192.168.1.32/24

If you require more than one address, then create a host ip-filter for all IP addresses or the subnet that is allowed to access the device. For example, if the legal machines are on the 192.168.10.X subnet, enter the following CLI command:

ips {running-mgmt} ip-filter allow ip 192.168.1.0/24

To change the default action back to "permit any" enter the following command:

ips {running-mgmt} ip-filter allow default
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
TP000085102
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.