| Description |
This article describes the new feature to control over which IP address may be guaranteed access to the interface management service. |
| Scope |
From FortiADC v6.2.0 and beyond. Firmware version before v6.2.0 can allow/deny the management service with ‘allowaccess’ command over the interface settings. |
| Solution |
From GUI: - Go to Network -> Interface. - Edit the network interface, enable Trust IP Address, and select 'Save'.
Edit the network interface again and select 'Create New' under the table Trust IP Address List.
Set: Name (Required config name. No spaces).
From CLI:
# config system interface edit "port1" set vdom root set ip 1.0.16.100/20 set allowaccess https ping ssh http telnet set trust-ip enable config trust-ip-list edit "TrustHost-01" set type ip-netmask set ip-netmask 1.0.16.2/32 next end config ha-node-ip-list end set traffic-group default next end
Verify the solution with a sniffer: From Trust-IP, the TCP 3-way handshake is completed.
(P) FortiADC-10 (global) # diagnose sniffer packet any ' host 1.0.16.100 and port 443 ' 4 interfaces=[any] filters=[ host 1.0.16.100 and port 443 ] 5.547025 port1 in 1.0.16.2.52917 -> 1.0.16.100.443: syn 3631164300 5.546973 port1 out 1.0.16.100.443 -> 1.0.16.2.52917: syn 803537514 ack 3631164301 5.547300 port1 in 1.0.16.2.52917 -> 1.0.16.100.443: ack 803537515
From Untrust-IP, the 3-way handshake is NOT completed.
(P) FortiADC-10 (global) # diagnose sniffer packet any ' host 1.0.16.100 and port 443 ' 4 interfaces=[any] filters=[ host 1.0.16.100 and port 443 ] 4.956375 port1 in 149.202.20. 73.49535 -> 1.0.16.100.443: syn 4133304780 7.967029 port1 in 149.202.20.73.49535 -> 1.0.16.100.443: syn 4133304780 13.972978 port1 in 149.202.20.73.49535 -> 1.0.16.100.443: syn 4133304780 |
