Skip to main content
rc42
rc42
New Member
March 27, 2019
Question

Management access from a specific outside site, I thought it was simple

  • March 27, 2019
  • 1 reply
  • 28852 views

I've done this countless times on non-Fortinet firewalls so the concepts are far from new for me.

 

I want to be able to access the management web page from the outside, from a specific IP address.

I do not want to limit in any way the access on other interfaces. Some of the subnets get changed and I don't want to use the permitted host in the management because this could result in the firewall not be accessible. I also need to use the same username outside as in.

 

Normally I would enable https management, and creat an ACL that permitted access to https, on the outside interface, from a specific subnet. And the implicit deny would take care of the rest.

 

But on the Fortigate when I enable the management access it lets in https from everywhere.

I tried creating a specific inbound policy limiting inbound https to the subnet, and a specific deny policy for https from everywhere (in sequence after the permit). But this seems to do nothing.

    1 reply

    Dave_Hall
    Dave_Hall
    New Member
    March 27, 2019

    I think you want restrict login to trusted hosts.

     

     

    rc42
    rc42Author
    New Member
    March 27, 2019

    Sorry, I used the term "permitted" host not "trusted" host in my post. This won't work from a practical standpoint because of the conditions.

    The IP subnets behind the firewall are excessive, and subject to change by persons other than myself. This could easily result in the firewall not being accessible following a subnet change.

    This also prevents me from using multple usernames. Since an unrestricted username could be used either internally or externally.

     

    I'm a little surprised that Fortigate doesn't allow an ACL instead of, or in front of, the interface settings, even through the CLI. I just assumed I was missing something.

     

    Dave Hall wrote:

    I think you want restrict login to trusted hosts.

     

     [attachImg]https://forum.fortinet.com/download.axd?file=0;172802&where=message&f=Restrict login to rusted hosts.jpg[/attachImg]

    jamesmeuli
    jamesmeuli
    New Member
    March 27, 2019

    Have a look at local-in policies mate. 

    Terms & ConditionsAccessibility statement