FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff
Article Id 209505
Description This article describes how to prevent the FortiGate login page from displaying for an unknown internet host.
Scope FortiGate.
Solution

If the trusted host on the admin or other system admin profile is configured but any unknown internet host tries to access the Public IP configured on the WAN interface, the unknown host is not able to access the firewall, but the login page will still display for that host.

Make sure the configuration already has the HTTPS enabled on the external/WAN interface and has been configured with the trusted host for the respective system admin profile as follows:

 

config system interface

edit "wan1"

set vdom "root"
set ip 10.5.21.122 255.255.240.0
set allowaccess https ssh

next

end

config system admin

edit "admin"

set trusthost1 172.26.137.25 255.255.255.255
set accprofile "super_admin"
set vdom "root"

next

end

 

Now login to the firewall only from a trusted host. However, any unknown host can make an attempt to login and the login page of the firewall will still appear for that unknown host.
Create a local-in-policy to prevent the firewall login page from appearing for the unknown host.

 

config firewall local-in-policy

edit 1

set uuid 86c752c8-b96c-51ec-df8e-9de1fa0fdfcb
set intf "wan1"
set srcaddr "Trusted_Host_IP" <- The same IP as the system admin trusted host IP or pool.
set dstaddr "Wan-IP" login <- WAN or external interface IP.
set action accept
set service "HTTPS"
set schedule "always"

end

 

Now, a login page will display only for trusted hosts. If other unknown hosts try to attempt to access the firewall, the login page will not upload or display.

 

Note: This article's steps are valid when the trusted host is specified for all admin accounts in the FortiGate.

For example, if the trusted host is only specified in Admin 1 and not in Admin 2, the login page will be displayed but only Admin 1 will be able to log in.