Verify IPv6 firewall entries after an ONTAP revert
Suggest changes
A reversion from any version of ONTAP 9 might result in missing default IPv6 firewall entries for some services in firewall policies. You need to verify that the required firewall entries have been restored to your system.
Steps
-
Verify that all firewall policies are correct by comparing them to the default policies:
system services firewall policy show
The following example shows the default policies:
cluster1::*> system services firewall policy show Policy Service Action IP-List ---------------- ---------- ------ -------------------- cluster dns allow 0.0.0.0/0 http allow 0.0.0.0/0 https allow 0.0.0.0/0 ndmp allow 0.0.0.0/0 ntp allow 0.0.0.0/0 rsh allow 0.0.0.0/0 snmp allow 0.0.0.0/0 ssh allow 0.0.0.0/0 telnet allow 0.0.0.0/0 data dns allow 0.0.0.0/0, ::/0 http deny 0.0.0.0/0, ::/0 https deny 0.0.0.0/0, ::/0 ndmp allow 0.0.0.0/0, ::/0 ntp deny 0.0.0.0/0, ::/0 rsh deny 0.0.0.0/0, ::/0 . . .
-
Manually add any missing default IPv6 firewall entries by creating a new firewall policy:
system services firewall policy create -policy <policy_name> -service ssh -action allow -ip-list <ip_list>
-
Apply the new policy to the LIF to allow access to a network service:
network interface modify -vserve <svm_name> -lif <lif_name> -firewall-policy <policy_name>