|
If the trusted host on the admin or other system admin profile is configured but any unknown internet host tries to access the Public IP configured on the WAN interface, the unknown host is not able to access the firewall, but the login page will still display for that host.
Make sure the configuration already has the HTTPS enabled on the external/WAN interface and has been configured with the trusted host for the respective system admin profile as follows:
config system interface
edit "wan1"
set vdom "root"
set ip 10.5.21.122 255.255.240.0
set allowaccess https ssh
next
end
config system admin
edit "admin"
set trusthost1 172.26.137.25 255.255.255.255
set accprofile "super_admin"
set vdom "root"
next
end
Now login to the firewall only from a trusted host. However, any unknown host can make an attempt to login and the login page of the firewall will still appear for that unknown host.
Create a local-in-policy to prevent the firewall login page from appearing for the unknown host.
config firewall local-in-policy
edit 1
set uuid 86c752c8-b96c-51ec-df8e-9de1fa0fdfcb
set intf "wan1"
set srcaddr "Trusted_Host_IP" <- The same IP as the system admin trusted host IP or pool.
set dstaddr "Wan-IP" login <- WAN or external interface IP.
set action accept
set service "HTTPS"
set schedule "always"
end
Now, a login page will display only for trusted hosts. If other unknown hosts try to attempt to access the firewall, the login page will not upload or display.
Note: This article's steps are valid when the trusted host is specified for all admin accounts in the FortiGate.
For example, if the trusted host is only specified in Admin 1 and not in Admin 2, the login page will be displayed but only Admin 1 will be able to log in.
|
