By default, all inbound access to a monitoring point is denied, with a few exceptions. These exceptions are in the form of Access Control Lists (ACLs). ACLs permit access to the monitoring point on a specified protocol and port (or port range), from an optional list of source IPv4/IPv6 addresses/networks. The rules apply to traffic on all monitoring point interfaces. They should be used in conjunction with firewall rules that provide access between the monitoring point and APM. Typically, ACLs are used to restrict inbound access to specific internal source addresses and/or subnets. ACLs can be viewed and modified using the Admin API.

Default ACLs

For m25, m35, m50, m70, r45, r90, r1000, and v35 monitoring points, default ACLs are provided to permit access on the following ports from any source address.

  • TCP port 22 (SSH)
  • TCP port 80 (HTTP)
  • TCP port 443 (HTTPS)
  • TCP ports 1025-8080 (PathTest)
  • TCP ports 8082-65535 (PathTest)
  • UDP port 7 (Traceroute)
  • UDP port 123 (NTP)
  • UDP port 161 (SNMP)
  • UDP ports 1025-65535 (Delivery, including PathTest, voice, and video)

View ACLs

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > GET /access_control/acl/.
  3. Click Submit.
    • The Response Code section should show “200”.
    • The ACLs are shown in the Response Body.

Add an ACL

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “permit”.
  5. Set “protocol”: to either “tcp” or “udp”.
  6. Set “from_port”: and “to_port”: to the beginning and end of the port range (from_port <= to_port). To specify a single port, set to_port and from_port to the same port number.
  7. For “source_addresses”:, provide an optional list of one or more source addresses to allow. An address can be a single IPv4 or IPv6 address, or an IPv4 or IPv6 network (with /mask) such as 192.0.2.0/24 or 2001:db8::1000/124. The list can contain any mix of address types. An empty list indicates all source addresses are valid for the protocol and port range specified.
  8. Click Submit.
  9. Restart networking.
    • The ACL you created takes effect.

For example, to restrict incoming traffic on TCP port 22 (ssh) to subnets 192.0.2.0/24 and 198.51.100.0/24, use the following:

{
	"network_acl": [
		{
			"action": "permit",
			"protocol": "tcp",
			"from_port": 22,
			"to_port": 22,
			"source_addresses": [
				"192.0.2.0/24",
				"198.51.100.0/24"
			]
		}
	]
}

Delete an ACL

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “deny”.
  5. Set protocol, from_port, and to_port to match the ACL you want to modify.
  6. Set “source_addresses”: [] to delete the ACL. Alternatively, set source_addresses to one or more of the addresses you want to delete from the ACL.
  7. Click Submit.
    • The Response Code section should show “200”.
  8. Restart networking.
    • The ACL change takes effect.

Reset to default ACLs

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > DELETE /access_control/acl/.
  3. Click Submit.
    • The Response Code section should show “200”.
    • All but the default ACLs are deleted.
  4. Restart networking.
Call Support: 800-664-4401
Contact Us