FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Article Id 241246
Description This article explains how to restrict SSH and telnet traffic from a FortiGate to other hosts.
Scope FortiOS 7.2.1.
Solution

Administrator access profiles can be configured to prevent administrators from using the FortiGate as a jump host for SSH and telnet connections. This new feature is introduced in FortiOS 7.2.1. This option is useful in environments where it's desirable to restrict the ssh / telnet access initiated from FortiWeb for particular users.

 

To configure permissions to execute SSH or telnet commands in an access profile, run the following in the CLI:

 

# config system accprofile

edit <name>

set system-execute-ssh {enable | disable}

set system-execute-telnet {enable | disable}

next

end

 

To block SSH and telnet connections for an administrator, disable permission to execute SSH or telnet commands in the corresponding administrator access profile:

 

# config system accprofile

edit "prof_admin"

set system-execute-ssh disable

set system-execute-telnet disable

next

 

 

Configure an administrator in the profile:

 

# config system admin

edit "noc_user1"

set accprofile "prof_admin"

set vdom "root"

set password ENC SH2FGkJSJ3h1YgHaEeNmJQDU9xZd7bCcM2Jq3WKvPyu1N60nba0085X5Tri7pI=

next

end

 

Log in as the new administrator and attempt to connect to another host using SSH or telnet. The following output is expected:

 

# execute ssh rootuser@192.168.4.5
You are not entitled to run the command.
Command fail. Return code -37

 

# execute telnet 10.199.44.2
You are not entitled to run the command.
Command fail. Return code -37

 

The above output confirms the restrictions are working as intended.

 

Contributors