LIF roles and default firewall policies
LIF firewall policies are used to restrict access to the cluster over each LIF. You need to understand how the default firewall policy affects system access over each type of LIF, and how you can customize a firewall policy to increase or decrease security over a LIF.
When configuring a LIF using the network interface create or network interface modify command, the value specified for the -firewall-policy parameter determines the service protocols and IP addresses that are allowed access to the LIF.
In many cases you can accept the default firewall policy value. In other cases you might need to restrict access to certain IP addresses and certain management service protocols. The available management service protocols include SSH, HTTP, HTTPS, Telnet, NTP, NDMP, NDMPS, RSH, DNS, and SNMP.
The following table describes the default firewall policies that are assigned to each LIF, depending on their role, when you create the LIF:
| Firewall policy | Default service protocols | Default access | LIFs applied to |
|---|---|---|---|
| mgmt | dns, http, https, ndmp, ndmps, ntp, snmp, ssh | Any address (0.0.0.0/0) | Cluster management, SVM management, and node management LIFs |
| mgmt-nfs | dns, http, https, ndmp, ndmps, ntp, portmap, snmp, ssh | Any address (0.0.0.0/0) | Data LIFs that also support SVM management access |
| intercluster | https, ndmp, ndmps | Any address (0.0.0.0/0) | All intercluster LIFs |
| data | dns, ndmp, ndmps, portmap (starting with ONTAP 9.4) | Any address (0.0.0.0/0) | All data LIFs |