× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

XS716T100NES Can we disable HTTP

MWCLOUD
Aspirant
Aspirant
‎2018-01-11 12:30 PM
‎2018-01-11 12:30 PM

XS716T100NES Can we disable HTTP

Is there a way via CLI or GUI to disable HTTP from listening?. We would like to lock down the switch where only the ports we are using are open.
Message 1 of 8
Labels:
0 Kudos
Reply

Accepted Solutions
LaurentMa
NETGEAR Expert
NETGEAR Expert
‎2018-01-11 12:56 PM
‎2018-01-11 12:56 PM

Re: XS716T100NES Can we disable HTTP

Hi MWCLOUD

 

Thanks for asking. No, there is no way to disable Management CPU (Web GUI access via HTTP) on our XS716T 16-port 10G Smart Managed Pro switch. In fact, the per-port lock down is not very common. But Smart Managed switches don't offer management access control.

 

Instead, Fully Managed switches provide either Out of band management (OOB - you can deactivate inband CPU management access, and only access the switch CPU for GUI, telnet etc. via the 1G service port - this is useful if you have a separate management network); or Management ACLs for protecting inband access (for instance, restricting HTTP GUI access to certain IP addresses or subnets, restricting Telnet to certain other IP addresses, etc.).

 

If you require these features, you should look at our M4300 series. They offer both OOB management and Management ACLs:Management Access.png

 

 

Regards,

 

View solution in original post

Message 2 of 8
0 Kudos
Reply

All Replies
LaurentMa
NETGEAR Expert
NETGEAR Expert
‎2018-01-11 12:56 PM
‎2018-01-11 12:56 PM

Re: XS716T100NES Can we disable HTTP

Hi MWCLOUD

 

Thanks for asking. No, there is no way to disable Management CPU (Web GUI access via HTTP) on our XS716T 16-port 10G Smart Managed Pro switch. In fact, the per-port lock down is not very common. But Smart Managed switches don't offer management access control.

 

Instead, Fully Managed switches provide either Out of band management (OOB - you can deactivate inband CPU management access, and only access the switch CPU for GUI, telnet etc. via the 1G service port - this is useful if you have a separate management network); or Management ACLs for protecting inband access (for instance, restricting HTTP GUI access to certain IP addresses or subnets, restricting Telnet to certain other IP addresses, etc.).

 

If you require these features, you should look at our M4300 series. They offer both OOB management and Management ACLs:Management Access.png

 

 

Regards,

 

Message 2 of 8
0 Kudos
Reply
MWCLOUD
Aspirant
Aspirant
‎2018-01-11 01:51 PM
‎2018-01-11 01:51 PM

Re: XS716T100NES Can we disable HTTP

Thanks for the quick response.  This is good to know for future purchases.

Message 3 of 8
0 Kudos
Reply
schumaku
Guru Guru
Guru
‎2018-01-11 04:04 PM
‎2018-01-11 04:04 PM

Re: XS716T100NES Can we disable HTTP

Hi @LaurentMa,

 

Plase consider to push in at least a control to set (and limit) the manaement VLAN to a defined VLAN on all Smart Managed Plus and Smart Managed Pro with the firmware revisions.

Example? The new XS724EM Smart Managed Plus 

XS724EM Smart Managed Plus - Management VLAN.PNG

This does allow certain mitigation by limiting this access to a sinlge 802.1Q VLAN.

Regards,
.Kurt



 

Message 4 of 8
Reply
schumaku
Guru Guru
Guru
‎2018-01-12 02:23 AM
‎2018-01-12 02:23 AM

Re: XS716T100NES Can we disable HTTP

Oh sorry, my previous post wasn't really finished @LaurentMa. Of course, the Smart Managed Pro already support a management VLAN setting (it's in Management -> IP Configuration).

Message 5 of 8
Reply
LaurentMa
NETGEAR Expert
NETGEAR Expert
‎2018-01-12 03:18 AM
‎2018-01-12 03:18 AM

Re: XS716T100NES Can we disable HTTP

Good point! Management VLAN is another best practice, but it requires VLANs for other users.

 

This is good input:

  • Management VLAN can be used across Smart Managed, Pro and Fully Managed switches for protecting CPU Access (GUI etc.)
  • Out-of-band or Management ACLs can be used in Fully Managed switches when Management VLAN isn't suitable

Regards,

Message 6 of 8
0 Kudos
Reply
schumaku
Guru Guru
Guru
‎2018-01-12 04:09 AM
‎2018-01-12 04:09 AM

Re: XS716T100NES Can we disable HTTP

@LaurentMa wrote:

 

  • Management VLAN can be used across Smart Managed, Pro and Fully Managed switches for protecting CPU Access (GUI etc.)

The implementation of the Management VLAN seems to have just started on the Smart Managed Plus switches. Have just spotted it on the brand new XS728EM, the GS110EMX released some weeks before for example does not have this feature. Queried one of your senior engineers in Tw on this difference some hours ago, he said "For Managed Plus, it depends. Case-by-case.".

Thank you for taking care!

-Kurt

Message 7 of 8
Reply
MWCLOUD
Aspirant
Aspirant
‎2018-01-12 06:37 AM
‎2018-01-12 06:37 AM

Re: XS716T100NES Can we disable HTTP

Thanks for the information.  My issue is based upon regulatory requirements.  We are required to document and justify every open port on a piece of equipment.  The includes regular CVAs and baseline reviews for each piece of equipment.  As you can imagine, HTTP is deeply frowned upon. 

We are currently using these switches in a test environment so there isn't as big of an issue. 

Message 8 of 8
0 Kudos
Reply
Discussion stats
  • 7 replies
  • ‎2018-01-11 12:30 PM
  • 3838 views
  • 3 kudos
  • 3 in conversation
Announcements