Here is a quick how to restrict the availability of the WebUI to one or several interface VLan(s) and specify which remote/management IPs should be allowed to access it.
1. Set the web management service to the interface VLan you want it to answer from external requests (this example assume that the l3-interface vlan.10 will be used for WebUI) :
set system services web-management https interface vlan.10
2. Create the firewall filters (optional) if you want to restrict the remote IPs that can access it :
set policy-options prefix-list MGMT-IPv4 0.0.0.0/0 set firewall family inet filter REv4-in term HTTPS-MGMT from source-prefix-list MGMT-IPv4 set firewall family inet filter REv4-in term HTTPS-MGMT from protocol tcp set firewall family inet filter REv4-in term HTTPS-MGMT from destination-port https set firewall family inet filter REv4-in term HTTPS-MGMT then accept
NOTE : You must set the IP/subnet value(s) “prefix-list MGMT-IPv4 0.0.0.0/0” with your management IP(s). Add as many as you need, doing one command per IP or subnets.