Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dwear
New Contributor

External Admin access

I want to allow HTTPS access into the Fortigate from specific hosts. I know you can use the Trusted Hosts, but that still prompts the login page for everyone, and only allows login from those IPs. Is it possible to only present the login page to trusted IPs and drop the connection for everyone else? 

3 REPLIES 3
emnoc
Esteemed Contributor III

Yes you can but it's a via  different  route. You want  deploy PKI admin and issue certs. I just did a blog on this for the FGT and FML appliances.

 

Advantage

 

1: you don't need  trust host

2: the client TLS handshake and  no  valid  cert will not deliver the loginpage

3: you can enable two-factor within the user peer and require the cert + password

 

YMMV

 

The alternative which add more configuration is to  use SSLvpn and  require the user to 1st vpn into  the FGT and set the allowaccess on ssl.root. Beadvise tho that FTNT has change some things round with ssl.root so this might be accessible YMMV and PoC it out

 

Here's a few bog articles to read;

 

http://socpuppet.blogspot.com/2018/05/securing-fortigate-https-admin-with-pki.html

http://socpuppet.blogspot.com/2017/06/mfa-using-certficates-fortios-sys-admin.html

http://socpuppet.blogspot...pn-based-on-geoip.html

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jordan_Thompson_FTNT

dwear wrote:

I want to allow HTTPS access into the Fortigate from specific hosts. I know you can use the Trusted Hosts, but that still prompts the login page for everyone, and only allows login from those IPs. Is it possible to only present the login page to trusted IPs and drop the connection for everyone else? 

It sounds like you still have other administrators that do not have trusted hosts defined. If that's the case, then the login page is shown to everyone, and the trusted hosts are validated based on the user that logs in.

Toshi_Esumi

If you know the IP of hosts to allow but want to block all others, you can use "local-in-policy" for HTTP/HTTPS.

 

  xxxfg2 (xxxx) # config firewall local-in-policy   xxxfg2 (local-in-policy) # edit 0   new entry '0' added   atl-fg2 (0) # get   policyid            : 2   intf                :   srcaddr             :   dstaddr             :   action              : deny   service             :   schedule            :   status              : enable

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors