Description
This article describes how to limit FMG-Access (set on a per-interface basis on the FortiGate) to a specific list of allowed source IPs. Notably, FMG-Access is not affected by the list of Trusted Hosts configured for Admin users (set trusthost1, trusthost2, etc.), nor is it affected by the trust-ip specified for dedicated management interfaces (e.g. ‘set dedicated-to management’).
In the following example, the dedicated management interface has had access limited to 192.168.1.0/24, and Trusted Hosts have been set for the main 'admin' account to limit allowed access to sources from 192.168.2.0/24. However, when running diagnose firewall iprope list 010000e, the entry for FMG-Access (listening on TCP/541) is fully open for all incoming source addresses (‘source(1): 0.0.0.0-255.255.255.255’)
show system interface mgmt
config system interface
edit "mgmt"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set dedicated-to management
set role lan
set snmp-index 2
set trust-ip-1 192.168.1.0 255.255.255.0
next
end
show system admin
config system admin
edit "admin"
set trusthost1 192.168.2.0 255.255.255.0
set accprofile "super_admin"
set vdom "root"
set password ENC XXXXXXXXXXX
next
end
diagnose firewall iprope list 010000e
policy index=4294967295 uuid_idx=10 action=accept
flag (0):
cos_fwd=0 cos_rev=0
group=0010000e av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.21.7.26-10.21.7.26, uuid_idx=0,
service(1):
[6:0x0:0/(0,65535)->(541,541)] flags:0 helper:auto
Scope
FortiGate.
Solution
To prevent FMG-Access from being available to all source IP addresses, two local-in-policies will need to be created on the FortiGate. The first local-in-policy will permit incoming TCP/541 traffic coming from specific source IP addresses and the second local-in-policy will deny TCP/541 from all other sources.
- Create the firewall service for TCP/541.
config firewall service custom
edit "FMG-Access"
set tcp-portrange 541
next
end
- Create the firewall address(es) for the trusthost(s).
config firewall address
edit "192.168.1.0/24"
set subnet 192.168.1.0 255.255.255.0
next
end
- Create one local-in-policy to permit the traffic from the trusthost(s) and the second local-in-policy to deny all other sources.
config firewall local-in-policy
edit 1
set intf "mgmt"
set srcaddr "192.168.1.0/24"
set dstaddr "all"
set action accept
set service "FMG-Access"
set schedule "always"
next
edit 2
set intf "mgmt"
set srcaddr "all"
set dstaddr "all"
set service "FMG-Access"
set schedule "always"
next
end
Once the local-in policies have been created, two entries will be added to iprope group 00100001, which is placed above iprope group 010000e. Iprope policies are read in the top-down manner, just like firewall policies.
diagnose firewall iprope list 00100001
policy index=1 uuid_idx=514 action=accept
flag (8010000): master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 192.168.1.0-192.168.1.255, uuid_idx=513,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
service(1):
[6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto
policy index=2 uuid_idx=515 action=drop
flag (8010000): master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
service(1):
[6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto