A service such as HTTP, SNMP or Failover is not enabled in Management Center, but is still accessible from external hosts.
Management Center utilizes the ACL (Access Control List) feature as a host firewall to manage access to system services.
The ACL is enabled by default to prevent access to Failover, HTTP, and SNMP services.
The following rules are present by default,
rule 127.0.0.1/32 Failover
rule 127.0.0.1/32 HTTP
rule 127.0.0.1/32 SNMP
rule ::1/128 Failover
rule ::1/128 HTTP
rule ::1/128 SNMP
The ACL is dynamically updated to remove the respective entries from the ACL when the corresponding feature is enabled as below,
HTTP: security http enable
Failover: failover make-primary or failover make-secondary
SNMP: A rule for a specific host(s) must be added to the ACL as part of the SNMP configuration steps, acl rule x.x.x.x/32 SNMP
System services rely on the ACL feature to manage access to their services, but if the ACL is disabled itself, these services become accessible from all external hosts regardless of their configuration state.
Check if the ACL feature has been disabled using the following command.
MgmtCtr# show running-config acl
If the ACL is in a disabled state, enable it using the following commands.
MgmtCtr# configure t
MgmtCtr(config)# acl enable