Technical Tip: Configure local-in policy to restrict unauthorized administrative access with custom HTTPS port

There are instances of unauthorized login attempts on the FortiGate from unknown IPs. Local-in policy is being used to block those attempts; however, another best practice is to change the default HTTPS port to a custom port (ex. HTTPS from default TCP/443 changed to TCP/8443) for additional protection.

show full system global | grep sport

    set admin-sport 8443

Due to the change of the default HTTPS port, the local-in policy with the default service "HTTPS" will not be effective since it has TCP/443 by default.

To block the unauthorized login attempts via HTTPS when using a custom port, an additional step needs to be taken.

1. Create a custom service object with a specific port number for HTTPS:

Go to Policy & Objects -> Services -> Create new.

Create the new Service. For example, HTTPS port 8443.
                                                 

Save by selecting OK.

2. Create a Group address object and its corresponding members.

For example, the subnet is created using the network 192.168.1.0/24, and it can be changed to another subnet based on requirements.

Then use this new Service on the Local-in policy together with the Allowed subnets, Rule1 to allow a specific subnet, and Rule2 to deny all.

config firewall local-in-policy

    edit 1

        set intf "port1"                    <-- WAN interface.
        set srcaddr "HTTPS_Allowed_Subnets"
        set dstaddr "all"

        set action accept
        set service "HTTPS_8443"
        set schedule "always"

        set status enable

    next

    edit 2

        set intf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "HTTPS_8443"

        set action deny                   <----- Local-in-policy default action is deny.
        set schedule "always"

        set status enable

    next

end

An alternative way to configure a local-in policy to block access from all IPs except a specific subnet using a single policy.

config firewall local-in-policy

    edit 1

        set intf "port1"

        set srcaddr "HTTPS_Allowed_Subnets"

        set srcaddr-negate enable <----- This command will negate the rule. It will only allow IPs specified in 'HTTPS_Allowed_Subnets' and then deny all other IP addresses.

        set dstaddr "all"

        set action deny

        set service "HTTPS_8443"

        set schedule "always"

        set status enable

    next

end

In this configuration, unauthorized administrative access with a custom HTTPS port will be blocked, except for the allowed subnets.

Notes:

• While security profiles control traffic flowing through the FortiGate, local-in policies control inbound traffic that is going to a FortiGate interface. For more details, see the document Local-in policy.
• Starting from FortiOS v7.6.0, Local-In policies can be created on the GUI. Changes in GUI behavior.
• Starting from v7.4.6 and in v7.6.x, SD-WAN zones can be selected as an interface in the firewall local-in policy. The interface/s part of that zone cannot be selected. For more details, see the article Technical Tip: SD-WAN zone in Local-in Policy.
• Another way to harden the device would be to add a trusted host. Up to 10 trusted host subnets can be added to the specific administrator account. More about the trusted host and the best practices can be read under System administrator best practices for FortiGate.

To enable the Local-In policy feature, go to System -> Feature Visibility:

To enable local-in policy in CLI:

configure system settings

    set gui-local-in-policy enable
end

To configure the local-in policy via the GUI. Navigate to Policy & Objects -> Local-in Policy -> Select Create new.

Rule1 will allow a specific subnet:

Rule2 will deny all other IPs:

Related documents: 

• Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate
• Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI  
• Changes in GUI behavior