Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mpuente
Staff
Staff

Created on ‎10-05-2017 08:13 AM Edited on ‎10-23-2023 12:18 AM By Moderator

Article Id 196533

Technical Tip: FortiOS Admin only CLI access

Description

 

This article describes how to prevent Administrator access to the GUI but still allow admin access via the CLI.

Scope

 

Configure an administrator to access only via SSH, CLI.


Solution

 

  1. Create an Administrator Profile in the GUI:
    Here, it is possible to define which access controls are required None, Read Only & Read-Write.
    System -> Admin Profiles -> Create New.
 
mpuente_Admin _Profile.png
  1. Create an administrator:
    Create the Administrator user and apply the administrator Profile created in Step 1. Enable Restrict login to trusted hosts -> Define the IP ranges for admin access.
    System -> Administrators -> Create new.
 
mpuente_New_Admin.jpg
 
  1. Create a new Object/Address:
     Create an IP Address object with the same range as the admin Trusted Host (Step 2).
    Policy & Objects -> Addresses -> Create new address.
 
mpuente_New address.PNG
 
  1. Enable local-in-policy:
    Finally configure the local-in policy to reject HTTP, HTTPS, and TELNET.  This will only allow SSH CLI access.
     
    cli_fip2.PNG


    Verification:
    Results:

    admin_cli has access only via CLI and not via GUI
     
    admin_admin.PNG
     
    admin_admingui.PNG
1668
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.