New FortiGate admin here. I'm looking to enable web-admin on the WAN ports, but only allow access from specific IP addresses. I've created the address objects, but am not seeing how to configure a firewall policy. There would (obviously) be no outgoing interface.I can see a couple of suggestions coming, so to avoid those...I'd rather not have to use a VPN just for remote admin access.Also, configuring "trusted hosts" for specific users still exposes the admin ports to the entire internet, which is an all-around bad idea.So, a firewall policy should be the way to go...Any help would be appreciated!

New Member

Solved

Webui access from specific internet address

Forum|Forum|1 year ago
April 1, 2025
1 reply
1392 views

New FortiGate admin here. I'm looking to enable web-admin on the WAN ports, but only allow access from specific IP addresses. I've created the address objects, but am not seeing how to configure a firewall policy. There would (obviously) be no outgoing interface.

I can see a couple of suggestions coming, so to avoid those...

I'd rather not have to use a VPN just for remote admin access.
Also, configuring "trusted hosts" for specific users still exposes the admin ports to the entire internet, which is an all-around bad idea.

So, a firewall policy should be the way to go...

Any help would be appreciated!

FortiGate

Best answer by wws

Local policies look powerful. But, I went with something a little simpler: a Virtual IP + Firewall Policy. The virtual IP forwards the webui port through to the firewall's internal address, and the firewall policy controls who has access.

AEK

SuperUser

You are probably looking for local-in policy.

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/363127/local-in-policy

AEK

wwsAuthorAnswer

New Member

Local policies look powerful. But, I went with something a little simpler: a Virtual IP + Firewall Policy. The virtual IP forwards the webui port through to the firewall's internal address, and the firewall policy controls who has access.

AEK

SuperUser

I didn't test it because I find it more secure to avoid publish the WebUI directly on WAN. But trough VPN is much more secure. However I find your method a good idea for hardening access to WebUI from WAN.

BTW there is another approach with loopback interface, explained by Yurisk in this article. He did it for SSL VPN but it should also work for WebUI.

https://yurisk.info/2023/03/21/fortigate-vpn-ssl-hardening-guide/#_move_vpn_ssl_listening_interface_to_a_loopback_interface

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded