Netskope Help

Manage SSH Connections by Allowlisting an IP

SSH connections to access the appliance CLI can be restricted to certain IPs. This configuration ensures that only allowlist IPs can access the appliance CLI.

To configure allowlist IPs on an appliance:

  1. In the configuration mode, type the command,

    set system ssh-allowlist <comma-separated list of IPs and subnets without spaces>

    For example,

    set system ssh-allowlist 192.168.169.0/24,172.18.78.10
  2. Enter save to save the configuration.

Limitations

When configuring allowlist IPs on an appliance, ensure the following:

  • Subnets must be specified in the format, <IP>/<Netmask>. For example, 192.168.169.0/24, 172.18.78.0/255.255.255.0.

  • Individual allowlisted IPs in the list cannot be the same as IP addresses that are configured on the appliance's interfaces. Although, allowlisted subnets are allowed to contain IP addresses configured on the appliance’s interfaces.

  • Allowlist IPs must not contain the subnet reserved for Netskope appliance's internal bridge network. By default, the appliance's internal services uses the subnet 172.17.0.0/16. This subnet can be changed using the command,

    set system bridge-network <IP subnet>

    When specifying a new subnet for the bridge network, use the format <Network Address>/<Netmask>. For example, 192.168.1.0/0, 172.18.78.0/255.255.255.0.