Troubleshooting Tip: Disabling HTTP access on FortiAuthenticator interfaces
Description
This article describes how to disable HTTP access to FortiAuthenticator completely, expanding on Interfaces - FortiAuthenticator 6.2.1 administration guide.
Scope
FortiAuthenticator.
Solution
To ensure FortiAuthenticator is completely inaccessible via HTTP (TCP port 80), both HTTP admin access (GUI) and service access (CRL and SCEP) need to be disabled.
Note:
If FortiAuthenticator is used for certification on HTTP (other units access it on http://<FortiAuthenticator>/cert/crl), then disabling this access can cause a disruption.
FortiAuthenticator can also serves CRL, SCEP and GUI on port 443 instead.
Even if HTTP (TCP/80) is enabled, the FortiAuthenticator GUI cannot be accessed via HTTP because it is not supported.
On FortiAuthenticator versions before v6.6.3, the HTTP page still appears but it is not possible to log in.
Starting from FortiAuthenticator v6.6.3, HTTP admin access is denied.