Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JimBo
New Contributor II

Created on ‎01-09-2025 12:40 PM

JSconsole access to Fortigate

Today we received a security audit assessment from a 3rd party security company. They indicated they can login successfully to our border FortiGate firewall using jsconsole from a trusted management interface. The trusted management interface is connected to the Out-of-band (OOB) Management network and is restricted to specific internal users including the 3rd party security company performing the audit.

 

Can anyone speak to this access, good, bad, indifferent?

Can jsconsole be used to make changes to the firewall?

Is there a way to block jsconsole access?

Thank you

 

Thank You JimBo
Thank You JimBo
Labels:
1215
0 Kudos
1 Solution
mpapisetty
Staff
Staff
In response to JimBo

Created on ‎01-12-2025 04:47 PM

Hi @JimBo ,

Thanks for the clarification. I agree that JSConsole is a powerful tool. 

 

For admin access, there is no way to configure a policy based on application. The only way to restrict access is to have local in policies that can limit the IPs and services which can access the firewall. 

 

Which version is the firewall running on? A valid user with view-only should not be able to make changes. That would be a vulnerability. 

HTH
Manoj Papisetty

View solution in original post

1095
0 Kudos
5 REPLIES 5
mpapisetty
Staff
Staff

Created on ‎01-09-2025 02:46 PM

Hi @JimBo ,

If the access is from a trusted management interface from a known user and with the appropriate credentials, I do not see any concern. 

 

I believe JSConsole would be able to access most GUI based applications and not just FortiGate for APIs, automation, debugging etc. Did the 3rd party security company raise a specific concern about this access? 

 

With regards to the other question of blocking access, I believe the only access control is based on protocols allowed on an interface (like ssh, https, ping etc). If JSConsole is using an allowed protocol on an interface, it would be able to access the firewall. 

HTH
Manoj Papisetty
1177
0 Kudos
JimBo
New Contributor II
In response to mpapisetty

Created on ‎01-10-2025 06:08 AM

Hi Manoj,

Thanks for the quick follow up. I just watched a few youtube videos on JSconsole and must admit this is a powerful tool and potentially dangerous in the wrong hands.

 

The security company will provide their report next week when all management staff are back in the office. I’m attempting to have some type of valid educated response to any surprises.

 

Wondering if a valid user with admin view-only access could make changes to the firewall using JSconsole. I would assume no but confirmation would allow us to breathe a little easier.

 

Additionally, I only allow 443 access via the dedicated Mgt interface from the OOB Mgt net, so it appears JSconsole is using HTTPS for this access from the protected network, so this is contained to users allowed on the OOB Mgt Net! Firewall access is also allowed from FortiGate Cloud and this is accepted as safe too. Could an application-level security policy be applied to block JSconsole or some other method to manage control?

 

Thank you again for your feedback

JimBo

Thank You JimBo
Thank You JimBo
1127
0 Kudos
mpapisetty
Staff
Staff
In response to JimBo

Created on ‎01-12-2025 04:47 PM

Hi @JimBo ,

Thanks for the clarification. I agree that JSConsole is a powerful tool. 

 

For admin access, there is no way to configure a policy based on application. The only way to restrict access is to have local in policies that can limit the IPs and services which can access the firewall. 

 

Which version is the firewall running on? A valid user with view-only should not be able to make changes. That would be a vulnerability. 

HTH
Manoj Papisetty
1096
0 Kudos
MohammedYasin
New Contributor
In response to mpapisetty

Created on ‎02-19-2025 11:13 AM

Dear @mpapisetty 

 

we are receiving email 

 

ate=2025-02-19 time=20:44:50 devid="FGT60" devname="Kpostfirewall2" eventtime=1739987089999680013 tz="+0300" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1739987089" user="admin" ui="jsconsole" method="jsconsole" srcip=13.37.13.37 dstip=13.37.13.37 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

 

 

but this ip we don’t know and i check the system event admin loggin and next minute logout showing now i canged my password and i make restricted ip also again from my pc ip jsconsole logggin successfully showing now i remove wan wire please help me in this case

587
0 Kudos
mpapisetty
Staff
Staff
In response to MohammedYasin

Created on ‎02-19-2025 01:45 PM

Hi @MohammedYasin - 

Please be aware of the PSIRT that was published after my last comment - 

https://www.fortiguard.com/psirt/FG-IR-24-535 - and take actions accordingly. 

HTH
Manoj Papisetty
573
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.