FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cphi
Staff
Staff
Article Id 295120
Description

 

This article describes how to limit FMG-Access (set on a per-interface basis on the FortiGate) to a specific list of allowed source IPs. Notably, FMG-Access is not affected by the list of Trusted Hosts configured for Admin users (set trusthost1, trusthost2, etc.), nor is it affected by the trust-ip specified for dedicated management interfaces (e.g. ‘set dedicated-to management’).

 

In the following example, the dedicated management interface has had access limited to 192.168.1.0/24, and Trusted Hosts have been set for the main 'admin' account to limit allowed access to sources from 192.168.2.0/24. However, when running diagnose firewall iprope list 010000e, the entry for FMG-Access (listening on TCP/541) is fully open for all incoming source addresses (‘source(1): 0.0.0.0-255.255.255.255’)

 

show system interface mgmt

config system interface

edit "mgmt"

set vdom "root"

set ip 10.1.1.1 255.255.255.0

set allowaccess ping https ssh http telnet fgfm

set type physical

set dedicated-to management

set role lan

set snmp-index 2

set trust-ip-1 192.168.1.0 255.255.255.0

next

end

 

show system admin

config system admin

edit "admin"

set trusthost1 192.168.2.0 255.255.255.0

set accprofile "super_admin"

set vdom "root"

set password ENC XXXXXXXXXXX

next

end

 

diagnose firewall iprope list 010000e

 

policy index=4294967295 uuid_idx=10 action=accept

flag (0):

cos_fwd=0  cos_rev=0

group=0010000e av=00000000 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0

zone(1): 4 -> zone(1): 0

source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

dest(1): 10.21.7.26-10.21.7.26, uuid_idx=0,

service(1):

        [6:0x0:0/(0,65535)->(541,541)] flags:0 helper:auto

 

Scope

 

FortiGate.

 

Solution

 

To prevent FMG-Access from being available to all source IP addresses, two local-in-policies will need to be created on the FortiGate. The first local-in-policy will permit incoming TCP/541 traffic coming from specific source IP addresses and the second local-in-policy will deny TCP/541 from all other sources.

 

  1. Create the firewall service for TCP/541.

config firewall service custom

edit "FMG-Access"

set tcp-portrange 541

next

end

 

  1. Create the firewall address(es) for the trusthost(s).

config firewall address

    edit "192.168.1.0/24"

        set subnet 192.168.1.0 255.255.255.0

    next

end

 

  1. Create one local-in-policy to permit the traffic from the trusthost(s) and the second local-in-policy to deny all other sources.

config firewall local-in-policy

    edit 1

        set intf "mgmt"

        set srcaddr "192.168.1.0/24"

        set dstaddr "all"

        set action accept

        set service "FMG-Access"

        set schedule "always"

    next

    edit 2

        set intf "mgmt"

        set srcaddr "all"

        set dstaddr "all"

        set service "FMG-Access"

        set schedule "always"

    next

end

 

Once the local-in policies have been created, two entries will be added to iprope group 00100001, which is placed above iprope group 010000e. Iprope policies are read in the top-down manner, just like firewall policies.

 

diagnose firewall iprope list 00100001

 

policy index=1 uuid_idx=514 action=accept

flag (8010000): master pol_stats

schedule(always)

cos_fwd=0  cos_rev=0

group=00100001 av=00000000 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0

zone(1): 4 -> zone(1): 0

source(1): 192.168.1.0-192.168.1.255, uuid_idx=513,

dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,

service(1):

        [6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto

 

policy index=2 uuid_idx=515 action=drop

flag (8010000): master pol_stats

schedule(always)

cos_fwd=0  cos_rev=0

group=00100001 av=00000000 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0

zone(1): 4 -> zone(1): 0

source(1): 0.0.0.0-255.255.255.255, uuid_idx=505,

dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,

service(1):

        [6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto

Contributors