This article describes how to limit FMG-Access (set on a per-interface basis on the FortiGate) to a specific list of allowed source IPs. Notably, FMG-Access is not affected by the list of Trusted Hosts configured for Admin users (set trusthost1, trusthost2, etc.), nor is it affected by the trust-ip specified for dedicated management interfaces (e.g. ‘set dedicated-to management’).
In the following example, the dedicated management interface has had access limited to 192.168.1.0/24, and Trusted Hosts have been set for the main 'admin' account to limit allowed access to sources from 192.168.2.0/24. However, when running diagnose firewall iprope list 010000e, the entry for FMG-Access (listening on TCP/541) is fully open for all incoming source addresses (‘source(1): 0.0.0.0-255.255.255.255’)
show system interface mgmt
config system interface
edit "mgmt"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set dedicated-to management
set role lan
set snmp-index 2
set trust-ip-1 192.168.1.0 255.255.255.0
next
end
show system admin
config system admin
edit "admin"
set trusthost1 192.168.2.0 255.255.255.0
set accprofile "super_admin"
set vdom "root"
set password ENC XXXXXXXXXXX
next
end
diagnose firewall iprope list 010000e
policy index=4294967295 uuid_idx=10 action=accept
flag (0):
cos_fwd=0 cos_rev=0
group=0010000e av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.21.7.26-10.21.7.26, uuid_idx=0,
service(1):
[6:0x0:0/(0,65535)->(541,541)] flags:0 helper:auto
FortiGate.
To prevent FMG-Access from being available to all source IP addresses, two local-in-policies will need to be created on the FortiGate. The first local-in-policy will permit incoming TCP/541 traffic coming from specific source IP addresses and the second local-in-policy will deny TCP/541 from all other sources.
config firewall service custom
edit "FMG-Access"
set tcp-portrange 541
next
end
config firewall address
edit "192.168.1.0/24"
set subnet 192.168.1.0 255.255.255.0
next
end
config firewall local-in-policy
edit 1
set intf "mgmt"
set srcaddr "192.168.1.0/24"
set dstaddr "all"
set action accept
set service "FMG-Access"
set schedule "always"
next
edit 2
set intf "mgmt"
set srcaddr "all"
set dstaddr "all"
set service "FMG-Access"
set schedule "always"
next
end
Once the local-in policies have been created, two entries will be added to iprope group 00100001, which is placed above iprope group 010000e. Iprope policies are read in the top-down manner, just like firewall policies.
diagnose firewall iprope list 00100001
policy index=1 uuid_idx=514 action=accept
flag (8010000): master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 192.168.1.0-192.168.1.255, uuid_idx=513,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
service(1):
[6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto
policy index=2 uuid_idx=515 action=drop
flag (8010000): master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=505,
service(1):
[6:0x0:0/(1,65535)->(541,541)] flags:0 helper:auto
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.