Chapter 1. X Family Startup Configuration

When the SMS is on a different site than the device, a potential misconfiguration in the SMS may result in the loss of remote management access to the device. To protect against this you can enable a firewall rule to allow SSH and HTTPS access into the device from the WAN security zone and the internet. This rule will only be enabled after the SMS has timed out trying to acquire the device. During the time the firewall rule is enabled, management access to the device will be available to any IP address on the internet providing the correct username and password.

Would you like to enable WAN access on SMS configuration failure? <Y,[N]>: N

Web, CLI, and SNMP Server Options

The Web, CLI, and SNMP Server Options dialog turns the X family device servers on and off. You should always use the secure Web and CLI servers (HTTPS and SSH) when conducting normal operations. You should only use the non-secure (HTTP) servers for troubleshooting if you cannot get the secure alternatives running for some reason.

Note: You do not need to run any servers if you want to control the X family device only through the serial port, but you will be unable to manage filters without servers. You can turn off all servers by using the following commands:

conf t server no http

conf t server no https

conf t server no ssh

conf t sms no v2

You must reboot the device for changes to HTTP or HTTPS to take effect.

Secure and Non-Secure Operation

You can enable the secure and non-secure servers for the CLI (SSH and HTTP). You cannot enable both the secure and non-secure servers for the Web. This is to prevent inadvertent security lapses within your network security infrastructure. In practical terms, this means that if you enable the HTTPS server, the HTTP server is disabled.

SMS Operation

The HTTPS server is required for SMS management. The implication of this is that if you will be using the SMS to manage the devices, you cannot run the non-secure HTTP server.

14X Family CLI Reference V 2.5.1