Fortimanager - Internet Facing ACL

Forum|Forum|3 months ago
March 2, 2026
1 reply
76 views

We're an MSSP hosting our own on prem multi-tenant Fortimanager and a few thousand FortiGates out in the field and VMs in our datacenters / public cloud.

Prior to CVE-2024-47575 we had our FMG exposed to the internet. Upon the news breaking we ACL'ed off the FMG to known FGT IPs. The problem with this is that we offer SD-WAN with LTE (behind CG-NAT) so static IP based ACLs (via threatfeed) which is creating massive operational headaches.

I have some designs I've been considering on how to work around this, but I'd like to hear from you guys on how you've chosen to handle this.

FortiGate

Toshi_Esumi

SuperUser

Basically it's impossible to filter in only your FGTs if those devices are behind CG-NAT even with local-in-policy. The public IPs your FMG can see are shared. Speaking of CVE-2024-47575, the patch was made with later version for each major version, which you can upgrade your FMG to.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded