Skip to main content
Steven_Lengua
Steven_Lengua
New Member
October 28, 2014
Solved

Restrict Inbound HTTPS traffic to a specific IP

  • October 28, 2014
  • 1 reply
  • 33118 views

We have a Fortigate 600C. At the moment you can get to our Firewall admin page through https from the internet. What is the best way to lock down this access to only allow access from specific IP's? So, we would still like access to the admin page and to get logged in from the internet, but only from specific IP addresses.

  Thanks in advance. New to Fortinet and need all the assistance I can get.  

    Best answer by Dave_Hall

    Management restriction can be done in several ways.  On each interface you can define which ports are open for admin access; then under the admin settings, you can define the actual port numbers themselves and the idle timeout.  For each admin ID are options for restricting access to trusted IP hosts/subnets, which is likely what you want.  (Not pictured are options for authentication types/two-factor authentication.)

     

    if you are new to managing Fortigates, take a look at the Install and System Admin handbook (link is for 5.0 firmware)

     

     

    1 reply

    Dave_Hall
    Dave_HallAnswer
    New Member
    October 28, 2014

    Management restriction can be done in several ways.  On each interface you can define which ports are open for admin access; then under the admin settings, you can define the actual port numbers themselves and the idle timeout.  For each admin ID are options for restricting access to trusted IP hosts/subnets, which is likely what you want.  (Not pictured are options for authentication types/two-factor authentication.)

     

    if you are new to managing Fortigates, take a look at the Install and System Admin handbook (link is for 5.0 firmware)

     

     

    JohnAgora
    JohnAgora
    New Member
    March 18, 2016

    If I have several users and profiles, and I want the same restrictions for all (10.0.0.x, 10.20.0.x) should I do that in all the users?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 20, 2016

    @JohnAgora: Yes. There is no 'global' IP whitelist.

     

    It should be mentioned that direct mgmt access from WAN is a (IMHO huge) security risk by itself. If you know the IP addresses of authorized persons in advance you should set up a VPN and access mgmt on an internal port. I prefer IPsec VPN (with long PSKs or certs) as it has not yet been compromised but a SSLVPN in tunnel mode should do as well in most cases. The additional one-time effort is small compared to the constant threat to publically exposed open ports for HTTPS or SSH (see Heartbleed etc.).

    Terms & ConditionsAccessibility statement