Hi All,
I need to restrict FMG-Access to a certain IP.
Could you please advise if this is what I need?
Or this is the only way to restrict FMG-Access?
Thanks in advance.
Solved! Go to Solution.
Created on 06-12-2024 10:47 PM Edited on 06-12-2024 10:52 PM
No. I was the one who didn't understand what "FMG-Access" you meant was. You're talking about "FMG's FGT access".
The FGT's trusthost config is for regular admin access using the admin user name/password you configured at the FGT. FMG doesn't use those.
If you want to filter FMG's FGFM (TCP 541) acccess at a FGT, you need to set up local-in policy to specify allowed FMG's IP and block everything else. Below is the admin guide:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy
But it would look like below.
config firewall local-in-policy
edit 0
set intf "wan" <-- in case 30E
set srcaddr "FMG-source-IP"
set dstaddr "all"
set action accept
set service "TCP541" <-- you need to define this service object first
set schedule "always"
next
edit 0
set intf "wan"
set srcaddr "all"
set dstaddr "all"
set action deny <-- this wouldn't show up in "show" because action=deny by default
set service "TCP541" <-- It's important to specify specific protocol to "deny".
set schedule "always"
next
end
Note: the order of policies is very important. If those are the only local-in-policies, those would become "edit 1" and "edit 2" in "show" command. Make sure the order is correct. You can move them around with "move" command if it isn't right.
Above policies filter only TCP 541. Not your addmin access like TCP 443 or SSH 22. So you can still control that part with the trusthost config you showed.
Or, once you get used to be using local-in-policies, you can limit those admin access with local-in-policy as well.
Toshi
There are two aspects of "FMG-Access". FMG admin login access and those deveces, like FGTs, FMG access to be managed by it. Which one are you looking for?
If the former, you need to configure trusthosts on the FMG side. You're showing the GUI on an FG30E. It's under System Settings->Admin->Administrator FMG GUI. It's similar to FGT's though.
And the KB you referred to seems to be for hardware FMG model's. FMG-VM doesn't have mgmt interface obviously.
For the latter, there is no good way to filter device accesses coming over the internet unfortunately unless you put a FW like FGT in front of your FMG.
Toshi
Created on 06-12-2024 09:48 PM Edited on 06-12-2024 10:02 PM
HI @Toshi_Esumi,
Basically, it was discovered that the port 541 on the FortiGate is being open on its WAN interface.
The goal is to restrict ports 541 access to a certain IP address.
Sorry if I still failed to clarify your question.
P.S. Looks like I didn't understand what is FMD-Access. Found this.
FMG-Access | Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices. |
If I disable FMG-Access on the WAN interface that should NOT prevent me from being able to managed FortiGate via web browser and since FortiManager is not used for the device management it basically means disabling FMG-Access will make no difference for me.
Is that correct?
Created on 06-12-2024 10:47 PM Edited on 06-12-2024 10:52 PM
No. I was the one who didn't understand what "FMG-Access" you meant was. You're talking about "FMG's FGT access".
The FGT's trusthost config is for regular admin access using the admin user name/password you configured at the FGT. FMG doesn't use those.
If you want to filter FMG's FGFM (TCP 541) acccess at a FGT, you need to set up local-in policy to specify allowed FMG's IP and block everything else. Below is the admin guide:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy
But it would look like below.
config firewall local-in-policy
edit 0
set intf "wan" <-- in case 30E
set srcaddr "FMG-source-IP"
set dstaddr "all"
set action accept
set service "TCP541" <-- you need to define this service object first
set schedule "always"
next
edit 0
set intf "wan"
set srcaddr "all"
set dstaddr "all"
set action deny <-- this wouldn't show up in "show" because action=deny by default
set service "TCP541" <-- It's important to specify specific protocol to "deny".
set schedule "always"
next
end
Note: the order of policies is very important. If those are the only local-in-policies, those would become "edit 1" and "edit 2" in "show" command. Make sure the order is correct. You can move them around with "move" command if it isn't right.
Above policies filter only TCP 541. Not your addmin access like TCP 443 or SSH 22. So you can still control that part with the trusthost config you showed.
Or, once you get used to be using local-in-policies, you can limit those admin access with local-in-policy as well.
Toshi
Created on 06-13-2024 12:47 AM Edited on 06-13-2024 12:47 AM
Let me may be ask this way.
If I untick this checkbox what will happen?
Will I still be able to access the device? (I'm pretty sure the answer is YES).
Created on 06-13-2024 08:06 AM Edited on 06-13-2024 08:08 AM
That would close TCP 541 completely on wan interface and FMG wouldn't work well. Or if you actually don't have FMG at all (which I assumed you use it from the beginning) you should uncheck it.
Admin access is that "HTTPS" (TCP 443) you have it checked in the same screen. So it still works. If you scan the wan IP from nmap or something, you would see TCP 443(HTTPS) and TCP 22(SSH) open in the result.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.