Summary : This article talks about rejecting all requests from external IP address for TACACS authentication.
This article talks about creating an enforcement policy to allow TACACS access only to internal IP and reject all such request from External IP address.
Feature Notes :
This article works on CPPM 6.2 and greater.
Configuration Steps :
We have few devices which are on public IP for some reason, how do we make sure that no one ( not even employees) access it from an external network.
We must never expose SHELL/SSH access to the devices to WEB.
The best way is to create a enforcement policy as per the details below and map it to our service.
The condition highlighted is the condition which will allow access only to the IPs which begin with the value provided, rest will be rejected.
The condition :
can be matched with any other AND rules to make the service secure. Please feel free to customize it based on the requirement.