OBSERVE. ANALYZE. ACT.
Support Login

System Management ยท Version 26.2

Device Management Access ACL

Restrict which client IP addresses and subnets can reach appliance management services.

At a glance
Management Access ACL workflow showing allowed client IP and subnet entries with the Edit control.
Management Access ACL workflow showing allowed client IP and subnet entries with the Edit control.
UI Path: System Settings > Device Management Access ACL ID: dev_mgmt_access_acl
Workflow
  1. Open System Settings and choose Device Management Access ACL.
  2. Click Edit for Allowed Client IPs or Subnets.
  3. Add allowed client IP addresses or CIDR subnets and include a note for each entry.
  4. Click Apply in the table editor, then click Apply ACL...
  5. Verify that management access still works from an allowed client.

Overview

Use Device Management Access ACL to control which client IP addresses or subnets can connect to the appliance management interface and management services.

Typical Uses

Use this topic when management access should be limited to trusted administrator workstations, jump hosts, or management subnets.

Typical examples:

Allow one administrator workstation: 10.0.0.25
Allow a management subnet:           10.0.10.0/24
Allow all clients:                   0.0.0.0/0

An empty ACL removes the management client restriction and allows management access from any reachable client.

Prerequisites

  • Confirm the client IP address or subnet that you are currently using to access the appliance.
  • Include your current client IP address or its management subnet in the ACL before applying the change.
  • Confirm that another allowed administrator path exists, such as a jump host, local console, or out-of-band management path.
  • Coordinate the change with other administrators who may be connected through different client networks.
  • Use CIDR notation for subnets, for example 10.0.10.0/24.

Workflow

  1. Open System Settings.
  2. Choose Device Management Access ACL. The workflow opens as Management Access ACL.
  3. In Allowed Client IPs or Subnets, click Edit.
  4. In Table View, add or update the allowed client entries.
  5. Click Apply in the table editor.
  6. Click Apply ACL... in the workflow.
  7. Verify management access from an allowed client.

Expected Behavior

When the workflow starts, 01Layer applies the allow-list to the management interface firewall policy.

If the ACL contains entries:

  1. Each non-empty Allowed Client IP or Subnet entry is added as an allowed source.
  2. A single IP address is treated as a host entry.
  3. Other management clients are blocked by the default drop rule.
  4. The ACL is saved after the workflow completes successfully.

If the ACL is empty, the management client restriction is removed and management access is allowed from any reachable client.

Procedure

Add Or Update ACL Entries

  1. Open System Settings.
  2. Open Device Management Access ACL.
  3. Locate Allowed Client IPs or Subnets.
  4. Click Edit.
  5. In Table View, click Add Row or choose a provided row template.
  6. Enter the allowed client address in Allowed Client IP or Subnet.
  7. Enter a short operator note in Notes.
  8. Use the row operation buttons to edit, delete, or reorder entries.
  9. Click Apply to close the table editor.
  10. Review the workflow field and click Apply ACL....
Access ACL table editor showing Table View, allowed client IP or subnet rows, notes, and row operation controls
Access ACL table editor showing Table View, allowed client IP or subnet rows, notes, and row operation controls

Add A Row From A Template

  1. Click Add Row.
  2. Choose a row template: Empty Row, Allow a single client IP, Allow a client subnet, or Allow all clients.
  3. Edit Allowed Client IP or Subnet.
  4. Edit Notes.
  5. Click the check control to commit the row in the table editor, or click the undo control to discard the active row edit.
  6. Click Apply in the table editor to return the table value to the workflow.
  7. Review the workflow value, then click Apply ACL... only when you are ready to activate the ACL on the appliance.

The example below uses 192.0.2.10, a documentation-only address from the TEST-NET-1 range. Replace it with the actual administrator client address or management subnet before applying an ACL.

Access ACL table editor with a new ACL row being added for a documentation example client IP address
Access ACL table editor with a new ACL row being added for a documentation example client IP address

Use JSON View

Open JSON View when you need to review or edit the ACL as structured JSON. Each ACL entry is an object with:

  • ip: IPv4 address or CIDR subnet.
  • notes: Operator-facing description.

After editing JSON, click Apply in the table editor to return the updated value to the workflow. The ACL is not activated on the appliance until Apply ACL... is clicked in the workflow.

Access ACL JSON View showing ACL entries as objects with ip and notes fields
Access ACL JSON View showing ACL entries as objects with ip and notes fields

Remove The ACL Restriction

To remove management client filtering, leave the ACL table empty and click Apply ACL.... This allows management access from any reachable client.

Use this intentionally. An empty ACL is open access from the management network perspective, not a deny-all policy.

Field Reference

Field Required Notes
Allowed Client IP or Subnet Yes, when using an allow-list IPv4 client address or CIDR subnet that can reach management services. A single IP address is treated as a host entry.
Notes Optional Operator-facing description such as the owner, site, ticket, or purpose of the ACL entry.

ACL Editor Function Reference

Control Function Notes
Table View Edit ACL entries as rows. Default editor view. Use this for normal add, edit, delete, reorder, and review tasks.
JSON View Edit ACL entries as JSON. Uses an array of objects with ip and notes fields.
Add Row Add a new ACL entry. Opens templates for an empty row, one client IP, one client subnet, or all clients.
Filter Filter the visible table rows. Useful when the ACL has many entries. Filtering does not remove rows from the ACL.
Allowed Client IP or Subnet column header Sort the table by address/subnet text. Sorting changes the view order shown by the table. Use row arrows when the saved order itself should change.
Notes column header Sort the table by note text. Sorting changes the view order shown by the table.
Row edit control Edit an existing row. The row becomes editable. Click the check control to keep the row edit or undo to discard the active edit.
Row delete control Remove an entry from the table editor. Review the table before clicking Apply.
Row up/down controls Reorder entries. Up is disabled for the first row. Down is disabled for the last row.
Row copy/reuse control Reuse an existing row as the starting point for another entry. Edit the copied values before committing the row.
Print Print the current editor view. Use when a hardcopy or print-to-PDF review is required.
Upload Config / Choose File Load ACL table content from a file. Review imported rows before applying the editor value to the workflow.
Download Config Download the current ACL table content. Useful for offline review or reuse.
Apply Return the editor value to the workflow. This does not activate the appliance ACL by itself. The workflow still requires Apply ACL....
Close Close the editor. Close without Apply when table-editor changes should be discarded.

Confirmation And Rollback

This workflow applies the ACL directly. It does not use the two-phase reconnect-and-confirm safety flow used by Device Management IP Address.

Before applying the ACL, verify that the new list includes the IP address or subnet from which you are operating. If you accidentally block your current client, recover from another allowed client, from a trusted management subnet, or through the appliance local recovery path. Then reopen Device Management Access ACL and either add the missing source or clear the list to remove the restriction.

Notes

  • The ACL controls client reachability to management services on the management interface. It does not define user authentication or authorization.
  • User login policy is still controlled by the configured user and authentication settings.
  • System access methods such as HTTP, HTTPS, and SSH are managed separately in System Access Methods.
  • Use specific client addresses or management subnets instead of 0.0.0.0/0 unless open management access is intentional.

Troubleshooting

Current Browser Loses Access After Applying ACL

The current client was probably not included in the allow-list. Try accessing the appliance from another allowed client or management subnet. If no allowed network path is available, use the appliance local recovery path to restore or clear the ACL.

A Trusted Admin Host Cannot Connect

Confirm the source address that reaches the appliance. NAT, VPN, and jump-host paths may cause the appliance to see a different source IP than the operator's workstation address. Add the observed source IP or the correct management subnet.

The ACL Appears To Allow Everyone

Check for an empty ACL or a broad entry such as 0.0.0.0/0. An empty ACL removes the management client restriction, and 0.0.0.0/0 explicitly allows all IPv4 clients.

Apply ACL Does Not Start

Review the table for incomplete edits. Finish or cancel the active row edit, click Apply in the table editor, then start Apply ACL... again.

  • Use Device Management IP Address when changing the management interface address, netmask, gateway, or DNS values.
  • Use System Access Methods when enabling or disabling HTTP, HTTPS, or SSH.
  • Review user and authentication settings when changing who can log in after a client reaches the management interface.

Related Topics

System Settings Management Access Client ACL Firewall Access Methods