Index: /branches/rel_apv_10_7_4/usr/click/lib/libnatd_cli/natd_cli.c
===================================================================
--- /branches/rel_apv_10_7_4/usr/click/lib/libnatd_cli/natd_cli.c	(revision 40263)
+++ /branches/rel_apv_10_7_4/usr/click/lib/libnatd_cli/natd_cli.c	(working copy)
@@ -755,6 +755,7 @@
 		int ret;
 		struct in_addr vip4;
 		struct in6_addr vip6;
+		char cmd[512] = {0};
 
 		if (isipv6) {
 			inet_pton(AF_INET6, localip, &vip6);
@@ -771,6 +772,17 @@
 				printf("failed to assign IP to interface\n");
 				return -1;
 			}
+			// for management IP, don't need to add drop rule
+			if (proto == IPPROTO_TCP && check_management_vip((void*)&vip4.s_addr, (void*)&vip6, isipv6) == 0){
+				// TWSD-1696, add firewall rules for ssh
+				snprintf(cmd, sizeof(cmd),
+					"/usr/bin/firewall-cmd -q --direct --add-rule %s filter INPUT 1 "
+					"--protocol tcp -d %s -m multiport --dports 22,65519 -j DROP > /dev/null 2>&1",
+					isipv6? "ipv6": "ipv4",
+					localip
+				);
+				system(cmd);
+			}
 		}
 #endif	
 		return 0;
@@ -809,8 +821,9 @@
 	struct in6_addr vip6;
 	void *vip;
 	click_ip_t vip46;
+	int isipv6 = IS_IP6_ADDRESS(localip);
 
-	if (IS_IP6_ADDRESS(localip)) {
+	if (isipv6) {
 		inet_pton(AF_INET6, localip, &vip6);
 		vip = &vip6;
 		vip46.isipv6 = 1;
@@ -841,9 +854,26 @@
 	func(localip, localport);
 
 #ifdef VIP_MANAGEMENT_NAT
+	char cmd[512] = {0};
 	fwd_get_vip_list_kern(&vip46, sizeof(click_ip_t), (void **)&iplist, &ip_count);
 
 	if (ip_count == 0) {
+		// check if the rule exist
+		snprintf(cmd, sizeof(cmd),
+			"%s -C INPUT_direct -p tcp -d %s -m multiport --dports 22,65519 -j DROP",
+			isipv6? "ip6tables": "iptables",
+			localip
+		);
+		if (proto == IPPROTO_TCP && WEXITSTATUS(system(cmd)) == 0) {
+			// TWSD-1696, remove firewall rules for ssh
+			snprintf(cmd, sizeof(cmd),
+				"/usr/bin/firewall-cmd -q --direct --remove-rule %s filter INPUT 1 "
+				"--protocol tcp -d %s -m multiport --dports 22,65519 -j DROP > /dev/null 2>&1",
+				isipv6? "ipv6": "ipv4",
+				localip
+			);
+			system(cmd);
+		}
 		delete_managed_vip(NULL, MVIP_FWD, vip, vip46.isipv6);
 	}
 #endif
@@ -870,10 +900,30 @@
 	for (i = 0; i < ip_count; i++) {
 		/* bug 13980, tangmeng, 20060911 */
 		void *vip;
+		char localip[50];
+		char cmd[512] = {0};
 		if (iplist[i].isipv6) {
 			vip = &iplist[i].addr.ip6;
+			inet_ntop(AF_INET6, vip, localip, 50);
 		} else {
 			vip = &iplist[i].addr.ip4;
+			inet_ntop(AF_INET, vip, localip, 50);
+		}
+		// check if the rule exist
+		snprintf(cmd, sizeof(cmd),
+			"%s -C INPUT_direct -p tcp -d %s -m multiport --dports 22,65519 -j DROP",
+			iplist[i].isipv6? "ip6tables": "iptables",
+			localip
+		);
+		// TWSD-1696, remove firewall rules for ssh
+		if (WEXITSTATUS(system(cmd)) == 0) {
+			snprintf(cmd, sizeof(cmd),
+				"/usr/bin/firewall-cmd --direct --remove-rule %s filter INPUT 1 "
+				"--protocol tcp -d %s -m multiport --dports 22,65519 -j DROP > /dev/null 2>&1",
+				iplist[i].isipv6? "ipv6": "ipv4",
+				localip
+			);
+			system(cmd);
 		}
 
 		if(check_nat_static_kern(&iplist[i], sizeof(click_ip_t))) {
Index: /branches/rel_apv_10_7_4/usr/click/lib/libva/multi.c
===================================================================
--- /branches/rel_apv_10_7_4/usr/click/lib/libva/multi.c	(revision 40263)
+++ /branches/rel_apv_10_7_4/usr/click/lib/libva/multi.c	(working copy)
@@ -2065,6 +2065,70 @@
 	return result2->status;
 }
 
+int
+check_management_vip(void *vip_v4, void *vip_v6, int isipv6)
+{
+	struct in6_addr in6;
+	uint32_t ip = 0;
+	char localip6[50] = {0};
+
+	if(isipv6) {
+		in6 = *(struct in6_addr*)vip_v6;
+		inet_ntop(AF_INET6, &in6, localip6, 50);
+	} else {
+		ip = *(uint32_t *)vip_v4;
+	}
+
+	if (nic_init() != IP_SUCCESS) {
+		return -1;
+	}
+
+	CHECK_RPC_HANDLE(return -1);
+	if(!isipv6) {
+		if ((ip  == -1 ) || (ip  == 0x0)) {
+			fprintf(stderr, "Error: vip needs to be in 4-tuple "
+				"Internet dot format,\n");
+			fprintf(stderr, "value not 255.255.255.255\n");
+			return -1;
+		}
+
+		if ( ntohl(ip) >= 0xe0000000 && ntohl(ip) < 0xffffffff) {
+			printf("Error: unable to assign multicast or class E "
+			"address as ip address\n");
+			return -1;
+		}
+	}
+
+	int mgmt_exist = 0;
+	for (int i = 0; i < MAX_NIC; i++) {
+		if (nic_ca[i].mgmt_flag)
+			mgmt_exist = 1;
+
+		if (isipv6) {
+			if (nic_ca[i].mgmt_flag && strcmp(nic_ca[i].v6, localip6) == 0) {
+				return 1;
+			}
+		} else {
+			if (nic_ca[i].mgmt_flag && nic_ca[i].ip32 == ip) {
+				return 1;
+			}
+		}
+	}
+
+	if (mgmt_exist)
+		return 0;
+
+	if (isipv6) {
+		if (strcmp(nic_ca[0].v6, localip6) == 0) {
+			return 1;
+		}
+	} else {
+		if (nic_ca[0].ip32 == ip) {
+			return 1;
+		}
+	}
+	return 0;
+}
 
 int
 create_managed_vip(char *name, int id, void *vip, int isipv6)
Index: /branches/rel_apv_10_7_4/usr/click/lib/libva/mvipIf.h
===================================================================
--- /branches/rel_apv_10_7_4/usr/click/lib/libva/mvipIf.h	(revision 40263)
+++ /branches/rel_apv_10_7_4/usr/click/lib/libva/mvipIf.h	(working copy)
@@ -22,6 +22,7 @@
 
 
 int create_managed_vip(char* name, int id, void *ip, int isipv6);
+int check_management_vip(void *vip_v4, void *vip_v6, int isipv6);
 int delete_managed_vip(char* name, int id, void *ip, int isipv6);
 int activate_managed_vip(char* name, int id, void *ip, int isipv6);
 int deactivate_managed_vip(char* name, int id, void *ip, int isipv6);