Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

Limiting SSH access from certain IPs

Hey, Is there a way to limit the SSH access to the unit from certain IPs? Thanks!
5 REPLIES 5
Dave_Hall
Honored Contributor

Depending on what you have in mind, you need to configure the Administrative Access for the Interface in question then go into the Admin settings to enable " Restrict this Admin Login from Trusted Hosts Only" then set the IP address(es). You can also set the actual port access for SSH from 22 to some other port under " system>Admin>Settings>Administration Settings>SSH Port" . (For something non-standard or fancy (not advisable) may be look at " config firewall local-in-policy" .)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
gilfalko
New Contributor III

Thanks for the reply dave! This might just work out for me. I have a handful of admin accounts. I guess I' ll have to limit them all then. Thanks alot!
Dave_Hall
Honored Contributor

I mentioned the local-in-policy thing because one of our clients requested that we block an entire country from attempting to connect to the their fgt, but personally I don' t like putting something like that in because a setting like that may be easily missed in troubleshot admin connection issues.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
gilfalko
New Contributor III

Dave, in my case I need to grant access for our Nagios server from outside in order to run some Event Handler scripts on the forti unit. I' d like to grant just this user the access and specifically from the Nagios server address. But this might come in handy someday afterall. btw, Is " China-Country" a pre-saved variable?
rickards
New Contributor

It is and Firewall Adress that is based on GEO IP with China as country with an arbitrary name.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors