FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to gain administrator access to FortiGate over SSL VPN.
Scope
FortiGate.
Solution
A network administrator can access FortiGate’s Web admin through an SSH session over SSL VPN connection.
A firewall policy allowing the connected user to access the management interface IP from the ssl.root interface is required.
The source address of the policy should be the address range assigned by the SSL VPN to the connected user while the destination can be a subnet or the specific address of the management interface:
config system interface
edit "port1"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
end
config firewall policy
edit 1
set name "sslvpn_admin_access"
set uuid feecba32-4b23-51ee-aa07-3bbdd4a46dac
set srcintf "ssl.root"
set dstintf "port1"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "admin_address"
set schedule "always"
set service "ALL"
next
end
To be more specific in the policy, it is possible to set the service only what is needed. In this case, it would be ICMP, HTTPS(443), SSH(22) HTTP(80) and telnet(23) services.
