Skip to main content

Verify IPv6 firewall entries after an ONTAP revert

Contributors netapp-aherbin

A reversion from any version of ONTAP 9 might result in missing default IPv6 firewall entries for some services in firewall policies. You need to verify that the required firewall entries have been restored to your system.

Steps
  1. Verify that all firewall policies are correct by comparing them to the default policies:

    system services firewall policy show

    The following example shows the default policies:

    cluster1::*> system services firewall policy show
    Policy           Service    Action IP-List
    ---------------- ---------- ------ --------------------
    cluster
                     dns        allow  0.0.0.0/0
                     http       allow  0.0.0.0/0
                     https      allow  0.0.0.0/0
                     ndmp       allow  0.0.0.0/0
                     ntp        allow  0.0.0.0/0
                     rsh        allow  0.0.0.0/0
                     snmp       allow  0.0.0.0/0
                     ssh        allow  0.0.0.0/0
                     telnet     allow  0.0.0.0/0
    data
                     dns        allow  0.0.0.0/0, ::/0
                     http       deny   0.0.0.0/0, ::/0
                     https      deny   0.0.0.0/0, ::/0
                     ndmp       allow  0.0.0.0/0, ::/0
                     ntp        deny   0.0.0.0/0, ::/0
                     rsh        deny   0.0.0.0/0, ::/0
    .
    .
    .
  2. Manually add any missing default IPv6 firewall entries by creating a new firewall policy:

    system services firewall policy create -policy <policy_name> -service ssh -action allow -ip-list <ip_list>
  3. Apply the new policy to the LIF to allow access to a network service:

    network interface modify -vserve <svm_name> -lif <lif_name> -firewall-policy <policy_name>