Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MadDog_2023
New Contributor III

Created on ‎06-11-2024 03:49 PM Edited on ‎06-12-2024 09:49 PM

FMG-Access restriction to a certain IP address

Hi All,

 

I need to restrict FMG-Access to a certain IP.

Could you please advise if this is what I need? 

 

fortigate.jpgOr this is the only way to restrict FMG-Access?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-restrict-FMG-Access-FortiManager-Ac...

 

Thanks in advance.

Labels:
321
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to MadDog_2023

Created on ‎06-12-2024 10:47 PM Edited on ‎06-12-2024 10:52 PM

No. I was the one who didn't understand what "FMG-Access" you meant was. You're talking about "FMG's FGT access".
The FGT's trusthost config is for regular admin access using the admin user name/password you configured at the FGT. FMG doesn't use those.

If you want to filter FMG's FGFM (TCP 541) acccess at a FGT, you need to set up local-in policy to specify allowed FMG's IP and block everything else. Below is the admin guide:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy

But it would look like below.
config firewall local-in-policy
  edit 0 

    set intf "wan"  <-- in case 30E
    set srcaddr "FMG-source-IP"
    set dstaddr "all"

    set action accept

    set service "TCP541"    <-- you need to define this service object first

    set schedule "always"

  next

  edit 0

    set intf "wan"

    set srcaddr "all"

    set dstaddr "all"

    set action deny    <-- this wouldn't show up in "show" because action=deny by default

    set service "TCP541"   <-- It's important to specify specific protocol to "deny".

    set schedule "always"

  next

end

Note: the order of policies is very important. If those are the only local-in-policies, those would become "edit 1" and "edit 2" in "show" command. Make sure the order is correct. You can move them around with "move" command if it isn't right.

Above policies filter only TCP 541. Not your addmin access like TCP 443 or SSH 22. So you can still control that part with the trusthost config you showed.

Or, once you get used to be using local-in-policies, you can limit those admin access with local-in-policy as well.


Toshi

View solution in original post

250
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-11-2024 04:22 PM

There are two aspects of "FMG-Access". FMG admin login access and those deveces, like FGTs, FMG access to be managed by it. Which one are you looking for?

If the former, you need to configure trusthosts on the FMG side. You're showing the GUI on an FG30E. It's under System Settings->Admin->Administrator FMG GUI. It's similar to FGT's though.
And the KB you referred to seems to be for hardware FMG model's. FMG-VM doesn't have mgmt interface obviously.

For the latter, there is no good way to filter device accesses coming over the internet unfortunately unless you put a FW like FGT in front of your FMG.

Toshi

309
MadDog_2023
New Contributor III
In response to Toshi_Esumi

Created on ‎06-12-2024 09:48 PM Edited on ‎06-12-2024 10:02 PM

HI @Toshi_Esumi,

 

Basically, it was discovered that the port 541 on the FortiGate is being open on its WAN interface.

The goal is to restrict ports 541 access to a certain IP address.

Sorry if I still failed to clarify your question.  

 

P.S. Looks like I didn't understand what is FMD-Access. Found this.

 

FMG-Access

Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.

 

If I disable FMG-Access on the WAN interface that should NOT prevent me from being able to managed FortiGate via web browser and since FortiManager is not used for the device management it basically means disabling FMG-Access will make no difference for me.

Is that correct?

260
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to MadDog_2023

Created on ‎06-12-2024 10:47 PM Edited on ‎06-12-2024 10:52 PM

No. I was the one who didn't understand what "FMG-Access" you meant was. You're talking about "FMG's FGT access".
The FGT's trusthost config is for regular admin access using the admin user name/password you configured at the FGT. FMG doesn't use those.

If you want to filter FMG's FGFM (TCP 541) acccess at a FGT, you need to set up local-in policy to specify allowed FMG's IP and block everything else. Below is the admin guide:
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/363127/local-in-policy

But it would look like below.
config firewall local-in-policy
  edit 0 

    set intf "wan"  <-- in case 30E
    set srcaddr "FMG-source-IP"
    set dstaddr "all"

    set action accept

    set service "TCP541"    <-- you need to define this service object first

    set schedule "always"

  next

  edit 0

    set intf "wan"

    set srcaddr "all"

    set dstaddr "all"

    set action deny    <-- this wouldn't show up in "show" because action=deny by default

    set service "TCP541"   <-- It's important to specify specific protocol to "deny".

    set schedule "always"

  next

end

Note: the order of policies is very important. If those are the only local-in-policies, those would become "edit 1" and "edit 2" in "show" command. Make sure the order is correct. You can move them around with "move" command if it isn't right.

Above policies filter only TCP 541. Not your addmin access like TCP 443 or SSH 22. So you can still control that part with the trusthost config you showed.

Or, once you get used to be using local-in-policies, you can limit those admin access with local-in-policy as well.


Toshi

251
MadDog_2023
New Contributor III
In response to Toshi_Esumi

Created on ‎06-13-2024 12:47 AM Edited on ‎06-13-2024 12:47 AM

Let me may be ask this way.

If I untick this checkbox what will happen?

 

fmg-access.jpg

 

Will I still be able to access the device? (I'm pretty sure the answer is YES).

 

image_2024-06-13_174651093.png

 

233
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to MadDog_2023

Created on ‎06-13-2024 08:06 AM Edited on ‎06-13-2024 08:08 AM

That would close TCP 541 completely on wan interface and FMG wouldn't work well. Or if you actually don't have FMG at all (which I assumed you use it from the beginning) you should uncheck it.
Admin access is that "HTTPS" (TCP 443) you have it checked in the same screen. So it still works. If you scan the wan IP from nmap or something, you would see TCP 443(HTTPS) and TCP 22(SSH) open in the result.

Toshi

211
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.