Configuring the Management Access List
By default, you can reach the device's Firepower Device Manager web or CLI interfaces on the management address from any IP address. System access is protected by username/password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.
If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there is no entry for “any” address, you will lose access to the system when you deploy the policy. Be very careful if you decide to configure the access list.
Click the name of the device in the menu, then click the link.
If you are already on the System Settings page, simply click Management Access List in the table of contents.
The list of rules defines which addresses are allowed access to the indicated port: 443 for Firepower Device Manager (the HTTPS web interface), 22 for the SSH CLI.
The rules are not an ordered list. If an IP address matches any rule for the requested port, the user is allowed to attempt logging into the device.
To create rules for the management address: