I want to allow HTTPS access into the Fortigate from specific hosts. I know you can use the Trusted Hosts, but that still prompts the login page for everyone, and only allows login from those IPs. Is it possible to only present the login page to trusted IPs and drop the connection for everyone else?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes you can but it's a via different route. You want deploy PKI admin and issue certs. I just did a blog on this for the FGT and FML appliances.
Advantage
1: you don't need trust host
2: the client TLS handshake and no valid cert will not deliver the loginpage
3: you can enable two-factor within the user peer and require the cert + password
YMMV
The alternative which add more configuration is to use SSLvpn and require the user to 1st vpn into the FGT and set the allowaccess on ssl.root. Beadvise tho that FTNT has change some things round with ssl.root so this might be accessible YMMV and PoC it out
Here's a few bog articles to read;
http://socpuppet.blogspot.com/2018/05/securing-fortigate-https-admin-with-pki.html
http://socpuppet.blogspot.com/2017/06/mfa-using-certficates-fortios-sys-admin.html
http://socpuppet.blogspot...pn-based-on-geoip.html
PCNSE
NSE
StrongSwan
dwear wrote:I want to allow HTTPS access into the Fortigate from specific hosts. I know you can use the Trusted Hosts, but that still prompts the login page for everyone, and only allows login from those IPs. Is it possible to only present the login page to trusted IPs and drop the connection for everyone else?
It sounds like you still have other administrators that do not have trusted hosts defined. If that's the case, then the login page is shown to everyone, and the trusted hosts are validated based on the user that logs in.
If you know the IP of hosts to allow but want to block all others, you can use "local-in-policy" for HTTP/HTTPS.
xxxfg2 (xxxx) # config firewall local-in-policy xxxfg2 (local-in-policy) # edit 0 new entry '0' added atl-fg2 (0) # get policyid : 2 intf : srcaddr : dstaddr : action : deny service : schedule : status : enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.