Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sasad
New Contributor III

Created on ‎02-08-2024 12:31 AM Edited on ‎02-26-2024 03:12 AM By Community Manager

Access through IP should not be allowed for Firewall management only FQDN allowed.

Dear

 

We have Fortigate FG200E firewall, we need to access the Firewall through FQDN for that we have added the A records in our local and public DNS.

 

But now we need to stop the access direct from public IP, and the administrators must use the FQDN to access the Firewall management page.

 

Can anyone please help that how can I achieve this?

Asad
Asad
1546
0 Kudos
1 Solution
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎02-10-2024 11:28 PM

Please check this.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Issue-SSL-certificates-with-Microsoft/ta-p...

AEK

View solution in original post

AEK
1431
0 Kudos
11 REPLIES 11
AEK
SuperUser
SuperUser

Created on ‎02-08-2024 01:57 AM

Hello Sasad

Since this is a field of http request, as far as I know this can be done if you have a WAF between clients and FG.

On the other hand may I ask why such requirement?

AEK
AEK
1261
0 Kudos
sasad
New Contributor III
In response to AEK

Created on ‎02-08-2024 03:21 AM

We need it as we have multiple sites and our admins access them frequently and our certificate is on FQDN this is not support IP address, so the communication will not be encrypted in this case.

Asad
Asad
1242
0 Kudos
AEK
SuperUser
SuperUser
In response to sasad

Created on ‎02-08-2024 03:25 AM

You still can issue one single certificate for both FQDN and IP address, so your communication will be secure if you use either FQDN or IP.

AEK
AEK
1239
0 Kudos
sasad
New Contributor III
In response to AEK

Created on ‎02-08-2024 04:10 AM

I tried to generate the certificate from Fortigate with IP address and domain name but still it is showing certificate error. While the IP address is available in the Subject Alternate name.

Asad
Asad
1232
0 Kudos
sasad
New Contributor III
In response to sasad

Created on ‎02-08-2024 04:20 AM

Also we have more than 30 firewalls with different public IPs, therefore we have generated the certificate *.mydomain.com and using it at each site.

Asad
Asad
1230
0 Kudos
AEK
SuperUser
SuperUser
In response to sasad

Created on ‎02-08-2024 05:13 AM

Whe you add the IP in "Subject Alternative Name", you have to specify that it is a IP SAN. Like this:

IP:x.x.x.x

SAN_IP.png

AEK
AEK
1221
0 Kudos
sasad
New Contributor III
In response to AEK

Created on ‎02-10-2024 10:20 PM

I tried this way but it showing invalid IP.

 

 

Screenshot 2024-02-11 091854.jpg

Asad
Asad
1179
0 Kudos
AEK
SuperUser
SuperUser
In response to sasad

Created on ‎02-10-2024 11:25 PM

On your screenshot you are generating new certificates. That's not what you need. You need to generate a Certificate Signing Request (CSR) for your WebUI.

AEK
AEK
1167
0 Kudos
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎02-10-2024 11:28 PM

Please check this.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Issue-SSL-certificates-with-Microsoft/ta-p...

AEK
AEK
1432
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.