By default, all inbound access to a monitoring point is denied, with a few exceptions. These exceptions are in the form of Access Control Lists (ACLs). ACLs permit access to the monitoring point on a specified protocol and port (or port range), from an optional list of source IPv4/IPv6 addresses/networks, on an optional list of interfaces. They should be used in conjunction with firewall rules that provide access between the monitoring point and APM. Typically, ACLs are used to restrict inbound access to specific internal source addresses and/or subnets on specific interfaces. ACL rules can be viewed, created, added to, deleted from, and removed altogether using the Admin API. You can also remove all non-default ACL rules. Examples of various scenarios are provided below.

Default ACLs

For m25, m35, m50, m70, r45, r90, r1000, and v35 monitoring points, default ACLs are provided to permit access on the following ports from any source address.

  • TCP port 22 (SSH)
  • TCP port 80 (HTTP)
  • TCP port 443 (HTTPS)
  • TCP ports 1025-8080 (PathTest)
  • TCP ports 8082-65535 (PathTest)
  • UDP port 7 (Traceroute)
  • UDP port 123 (NTP)
  • UDP port 161 (SNMP)
  • UDP ports 1025-65535 (Delivery, including PathTest, voice, and video)

View ACLs

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > GET /access_control/acl/.
  3. Click Submit.
    • The Response Code section should show “200”.
    • The ACLs are shown in the Response Body.

Add an ACL rule

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “permit”.
  5. Set “protocol”: to either “tcp” or “udp”.
  6. Set “from_port”: and “to_port”: to the beginning and end of the port range (from_port <= to_port). To specify a single port, set to_port and from_port to the same port number.
  7. For “source_addresses”:, provide an optional list of one or more source addresses to restrict inbound traffic to. An address can be a single IPv4 or IPv6 address, or an IPv4 or IPv6 network (with /mask) such as 192.0.2.0/24 or 2001:db8::1000/124. The list can contain any mix of address types. An empty list indicates all source addresses are permitted for the protocol and port range specified.
  8. For “interfaces”:, provide an optional list of one or more interfaces to restrict inbound traffic to. Any of the source_addresses specified are permitted on any of the interfaces specified.
  9. For “interfaces_and_source_addresses”:, provide an optional list of one or more interfaces and associated source addresses to restrict inbound traffic to. Only the source addresses associated with a given interface are permitted on that interface.
  10. Click Submit.
  11. Restart networking.
    • The ACL you created takes effect.

For example, to restrict incoming traffic on TCP port 22 (ssh) to subnets 192.0.2.0/24 and 198.51.100.0/24 on any interface, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "192.0.2.0/24",
          "198.51.100.0/24"
        ]
      }
    ]
  }

Edit ACL rule content

Admin API

To add content to an existing ACL rule:

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “permit”.
  5. Set “protocol”: to match the rule you want to add to.
  6. Set “from_port”: and “to_port”: to match the rule you want to add to.
  7. For “source_addresses”:, “interfaces”: and/or “interfaces_and_source_addresses”:, specify the content you want to add to the rule.
  8. Click Submit.
  9. Restart networking.
    • The ACL you updated takes effect.

For example, to add source address “198.51.99.99” to a rule for TCP port 22 (ssh), use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "198.51.99.99"
        ]
      }
    ]
  }

Delete ACL rule content

Admin API

To remove content from an existing ACL rule:

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “deny”.
  5. Set “protocol”: to match the rule you want to delete from.
  6. Set “from_port”: and “to_port”: to match the rule you want to delete from.
  7. For “source_addresses”:, “interfaces”: and/or “interfaces_and_source_addresses”:, specify the content you want to remove from the rule.
  8. Click Submit.
  9. Restart networking.
    • The ACL you updated takes effect.

For example, to remove source address “198.51.99.99” from a rule for TCP port 22 (ssh), use the following:

  {
    "network_acl": [
      {
        "action": "deny",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "198.51.99.99"
        ]
      }
    ]
  }

Delete an ACL rule

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > PUT /access_control/acl/.
  3. In the Parameters section, in the body field, click the Model Schema on the right.
    • The text is copied to the body field.
  4. Set “action”: “deny”.
  5. Set protocol, from_port, and to_port to match the ACL rule you want to delete.
  6. Click Submit.
    • The Response Code section should show “200”.
  7. Restart networking.
    • The ACL change takes effect.

Reset to default ACL rules

Admin API

  1. Access the Admin API.
  2. Navigate to Access Control > DELETE /access_control/acl/.
  3. Click Submit.
    • The Response Code section should show “200”.
    • All but the default ACL rules are deleted.
  4. Restart networking.

ACL examples

The following are examples showing the content required to create, edit, and remove ACL rules for various scenarios.

Create an ACL rule

To create an ACL rule that restricts incoming traffic on TCP port 22 (ssh) to subnet 192.0.2.0/24 on any interface, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "192.0.2.0/24"
        ]
      }
    ]
  }

The new rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "source_addresses": [
      "192.0.2.0/24"
    ]
  }

Permit access on multiple source addresses

To add source addresses (subnet 198.51.100.0/24) to the previous example, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "198.51.100.0/24"
        ]
      }
    ]
  }

The updated rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "source_addresses": [
      "192.0.2.0/24",
      "198.51.100.0/24"
    ]
  }

Permit access on an interface

To restrict inbound access to a single interface (eth0) by adding an interface to the previous example, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "interfaces": "eth0"
      }
    ]
  }

The updated rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "source_addresses": [
      "192.0.2.0/24",
      "198.51.100.0/24"
    ],
    "interfaces": "eth0"
  }

Permit access on source addresses and interfaces

To create an ACL rule that restricts incoming traffic on TCP port 22 (ssh) to subnet 192.0.2.0/24 or subnet 198.51.100.0/24 on either eth0 or eth1, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "source_addresses": [
          "192.0.2.0/24",
          "198.51.100.0/24"
        ],
        "interfaces": "eth0",
        "interfaces": "eth1"
      }
    ]
  }

The new rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "source_addresses": [
      "192.0.2.0/24",
      "198.51.100.0/24"
    ],
    "interfaces": "eth0",
    "interfaces": "eth1"
    ]
  }

Permit access to source addresses on specific interfaces

To create an ACL rule that restricts incoming traffic on TCP port 22 (ssh) to subnet 192.0.2.0/24 on eth0 and subnet 198.51.100.0/24 and address 198.51.99.99 on eth1, use the following:

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "interface_and_source_addresses": [
          {
            "interface": "eth0",
            "source_addresses": [
              "192.0.2.0/24"
            ]
          },
          {
            "interface": "eth1",
            "source_addresses": [
              "198.51.100.0/24",
              "198.51.99.99"
            ]
          }
        ]
      }
    ]
  }

The new rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "interface_and_source_addresses": [
      {
        "interface": "eth0",
        "source_addresses": [
          "192.0.2.0/24"
        ]
      },
      {
        "interface": "eth1",
        "source_addresses": [
          "198.51.100.0/24",
          "198.51.99.99"
        ]
      }
    ]
  }

Remove a source address from an existing rule

To remove a source address (subnet 198.51.99.99) from the previous example, use the following (Note that the action is deny):

  {
    "network_acl": [
      {
        "action": "deny",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "interface_and_source_addresses": [
          {
            "interface": "eth1",
            "source_addresses": [
              "198.51.99.99"
          }
        ]
      }
    ]
  }

The updated rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22,
    "interface_and_source_addresses": [
      {
        "interface": "eth0",
        "source_addresses": [
          "192.0.2.0/24"
        ]
      },
      {
        "interface": "eth1",
        "source_addresses": [
          "198.51.100.0/24"
        ]
      }
    ]
  }

Remove all interfaces from an existing rule

To remove all interfaces_and_source_addresses content from the previous example (i.e. permit all interfaces and sources), use the following (Note that the action is permit):

  {
    "network_acl": [
      {
        "action": "permit",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22,
        "interface_and_source_addresses": []
      }
    ]
  }

The updated rule looks as follows:

  {
    "protocol": "tcp",
    "from_port": 22,
    "to_port": 22
  }

Remove a rule

To remove the rule in the previous example, use the following (Note that the action is deny):

  {
    "network_acl": [
      {
        "action": "deny",
        "protocol": "tcp",
        "from_port": 22,
        "to_port": 22
      }
    ]
  }
Call Support: 800-664-4401
Contact Us