Description | This article explains how to restrict SSH and telnet traffic from a FortiGate to other hosts. |
Scope | FortiOS 7.2.1. |
Solution |
Administrator access profiles can be configured to prevent administrators from using the FortiGate as a jump host for SSH and telnet connections. This new feature is introduced in FortiOS 7.2.1. This option is useful in environments where it's desirable to restrict the ssh / telnet access initiated from FortiWeb for particular users.
To configure permissions to execute SSH or telnet commands in an access profile, run the following in the CLI:
# config system accprofile edit <name> set system-execute-ssh {enable | disable} set system-execute-telnet {enable | disable} next end
To block SSH and telnet connections for an administrator, disable permission to execute SSH or telnet commands in the corresponding administrator access profile:
# config system accprofile edit "prof_admin" set system-execute-ssh disable set system-execute-telnet disable next
Configure an administrator in the profile:
# config system admin edit "noc_user1" set accprofile "prof_admin" set vdom "root" set password ENC SH2FGkJSJ3h1YgHaEeNmJQDU9xZd7bCcM2Jq3WKvPyu1N60nba0085X5Tri7pI= next end
Log in as the new administrator and attempt to connect to another host using SSH or telnet. The following output is expected:
# execute ssh rootuser@192.168.4.5
# execute telnet 10.199.44.2
The above output confirms the restrictions are working as intended.
|