diff --git a/CHANGES b/CHANGES
index 19af77236d..3e59581f74 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+5.1.0-dev.30 | 2022-06-14 12:02:46 -0700
+
+  * Management framework: bump external cluster testsuite (Christian Kreibich, Corelight)
+
+  * Management framework: switch default network visibilities (Christian Kreibich, Corelight)
+
 5.1.0-dev.27 | 2022-06-14 11:30:28 -0700
 
   * chore: Set permissions for GitHub actions (naveen)
diff --git a/VERSION b/VERSION
index 5d509bd7c8..bf77981ac7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.0-dev.27
+5.1.0-dev.30
diff --git a/scripts/policy/frameworks/management/agent/boot.zeek b/scripts/policy/frameworks/management/agent/boot.zeek
index cd1e302c76..3f328bce7a 100644
--- a/scripts/policy/frameworks/management/agent/boot.zeek
+++ b/scripts/policy/frameworks/management/agent/boot.zeek
@@ -8,12 +8,16 @@
 
 @load ./config
 
-# The agent needs the supervisor to listen for node management requests.  We
-# need to tell it to do so, and we need to do so here, in the agent
-# bootstrapping code, so the redef applies prior to the fork of the agent
-# process itself.
+# The agent needs the supervisor to listen for node management requests, which
+# by default it does not. We need to tell it to do so here, in the agent
+# bootstrap code, so the redef applies prior to the fork of the agent process.
 redef SupervisorControl::enable_listen = T;
 
+# The Supervisor listens on Broker's default address: any interface. In the
+# Management framework there's no need for other machines to interact with
+# instance Supervisors directly, so restrict it to listening locally.
+redef Broker::default_listen_address = "127.0.0.1";
+
 event zeek_init()
 	{
 	if ( ! Supervisor::is_supervisor() )
diff --git a/scripts/policy/frameworks/management/agent/config.zeek b/scripts/policy/frameworks/management/agent/config.zeek
index 4e1d23774e..ae9266c57a 100644
--- a/scripts/policy/frameworks/management/agent/config.zeek
+++ b/scripts/policy/frameworks/management/agent/config.zeek
@@ -106,7 +106,7 @@ function endpoint_info(): Broker::EndpointInfo
 	else if ( Management::default_address != "" )
 		network$address = Management::default_address;
 	else
-		network$address = "127.0.0.1";
+		network$address = "0.0.0.0";
 
 	if ( Management::Agent::listen_port != "" )
 		network$bound_port = to_port(Management::Agent::listen_port);
diff --git a/scripts/policy/frameworks/management/config.zeek b/scripts/policy/frameworks/management/config.zeek
index 9ca80caf85..dde21d13b4 100644
--- a/scripts/policy/frameworks/management/config.zeek
+++ b/scripts/policy/frameworks/management/config.zeek
@@ -19,9 +19,8 @@ export {
 
 	## The fallback listen address if more specific adddresses, such as
 	## the controller's :zeek:see:`Management::Controller::listen_address`
-	## remains empty. Unless redefined, this uses Broker's own default
-	## listen address.
-	const default_address = Broker::default_listen_address &redef;
+	## remains empty. Unless redefined, this listens on all interfaces.
+	const default_address = "0.0.0.0" &redef;
 
 	## The retry interval for Broker connnects. Defaults to a more
 	## aggressive value compared to Broker's 30s.
diff --git a/scripts/policy/frameworks/management/controller/config.zeek b/scripts/policy/frameworks/management/controller/config.zeek
index a524fb049b..01b8445a2b 100644
--- a/scripts/policy/frameworks/management/controller/config.zeek
+++ b/scripts/policy/frameworks/management/controller/config.zeek
@@ -86,7 +86,7 @@ function network_info(): Broker::NetworkInfo
 	else if ( Management::default_address != "" )
 		ni$address = Management::default_address;
 	else
-		ni$address = "127.0.0.1";
+		ni$address = "0.0.0.0";
 
 	if ( Management::Controller::listen_port != "" )
 		ni$bound_port = to_port(Management::Controller::listen_port);
diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
index dcaea9023d..d9b7621df3 100644
--- a/testing/external/commit-hash.zeek-testing-cluster
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -1 +1 @@
-837a20a947645b63340a4231d5a8665126283f66
+a1c8c09c8c661a1ea9299e0356f3652502b8dcd2