Skip to main content
albaker1
albaker1
New Member
January 8, 2025
Question

Need to block access to FortiManager, similar to local-in-policy

  • January 8, 2025
  • 5 replies
  • 3936 views

We've been managing our FGTs with FMG for a while, and we've been trying to figure out how to restrict access to the FMG. We are using SAML SSO, so trusted hosts option isn't available - at least, it doesn't appear that logins for SSO can be restricted to trusted hosts. I also don't see an option for implementing local-in-policy. Even though all our FGTs are controlled by these controls, our FMG isn't - anyone in our organization can attempt to login, though we do have logins restricted to a particular group. Especially in light of the critical FMG vulnerability last year, this seems like a serious oversight if it can't be done - hence, I believe it can, but we just can't find the right area to configure.

 

How are you folks approaching limiting access to which hosts can log into the FMG?

5 replies

funkylicious
SuperUser
funkylicious
SuperUser
January 8, 2025

I usually control who can access what, on FMG and FAZ with firewall rules on the FGT in front of them.

For FAC I use 2 nics, one for WAN where I enable FortiToken and one for LAN for management.

"jack of all trades, master of none"
albaker1
albaker1Author
New Member
January 8, 2025

I was hoping this wasn't the best option, but I guess that isn't the case. We just replaced our Cisco firewalls with FGTs, and a guy on the team jokingly suggested this morning of putting one of the Firepowers in front of the FMG. I am surprised that access to the FMG isn't more robust.

 

funkylicious
SuperUser
funkylicious
SuperUser
January 8, 2025

Well, it's best practice to have one or more firewall in front of any public facing applications/servers and not exposed them directly... you can put any kind/vendor of firewall in front of it.

"jack of all trades, master of none"
chall_FTNT
Staff
chall_FTNT
Staff
January 8, 2025

Local-in policies exist on FMG (7.2.0 & later) as well.
For an example, see: PSIRT | FortiGuard Labs

If you are looking to restrict access specifically for the FGFM protocol, consider enabling "fgfm-deny-unknown" to restrict registration/connection attempts only to know FortiGates.

albaker1
albaker1Author
New Member
January 8, 2025

This is only part of the problem, so this is great to know. We're wanting to also restrict administrator access to only a handful of subnets.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 8, 2025

Separating admin access and use another interface/port dedicated for it is recommended.

Toshi

albaker1
albaker1Author
New Member
January 8, 2025

We don't allow any management interface directly from the Internet, and we generally don't even allow management access from our entire internal network. Our machines are assigned to subnets when we log into VDI, so we're trying to restrict access to only those subnets. Admin and data access are separated.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 8, 2025

upgrade the FMG to 7.2 when all managed FGTs are upgraded to at least 7.0, then use a local-in-policy then.

Toshi

chall_FTNT
Staff
chall_FTNT
Staff
January 9, 2025

As for admin users of type SSO, the trusted host configuration should be configured on the IDP server.

albaker1
albaker1Author
New Member
January 9, 2025

Chris: I wasn't aware of this. I'll get with our team that handles that. I appreciate the info.

 

Toshi, FMG is 7.2.8, so I'll check this out.

 

Thanks all for the replies.

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 9, 2025

Ours is also 7.2.8. I verified it's there in CLI. Not sure about GUI though. I assume GUI wouldin't be there until 7.6.x or something, since even FGT started with 7.6.x for GUI part.

Toshi

Terms & ConditionsAccessibility statement