Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Limiting SSH access from certain IPs
Hey,
Is there a way to limit the SSH access to the unit from certain IPs?
Thanks!
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on what you have in mind, you need to configure the Administrative Access for the Interface in question then go into the Admin settings to enable " Restrict this Admin Login from Trusted Hosts Only" then set the IP address(es).
You can also set the actual port access for SSH from 22 to some other port under " system>Admin>Settings>Administration Settings>SSH Port" . (For something non-standard or fancy (not advisable) may be look at " config firewall local-in-policy" .)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply dave!
This might just work out for me.
I have a handful of admin accounts. I guess I' ll have to limit them all then.
Thanks alot!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mentioned the local-in-policy thing because one of our clients requested that we block an entire country from attempting to connect to the their fgt, but personally I don' t like putting something like that in because a setting like that may be easily missed in troubleshot admin connection issues.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dave,
in my case I need to grant access for our Nagios server from outside in order to run some Event Handler scripts on the forti unit. I' d like to grant just this user the access and specifically from the Nagios server address.
But this might come in handy someday afterall.
btw, Is " China-Country" a pre-saved variable?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is and Firewall Adress that is based on GEO IP with China as country with an arbitrary name.
