Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gilfalko
New Contributor III

Created on ‎05-03-2014 02:25 PM

Limiting SSH access from certain IPs

Hey, Is there a way to limit the SSH access to the unit from certain IPs? Thanks!
19172
0 Kudos
5 REPLIES 5
Dave_Hall
Honored Contributor

Created on ‎05-03-2014 03:23 PM

Depending on what you have in mind, you need to configure the Administrative Access for the Interface in question then go into the Admin settings to enable " Restrict this Admin Login from Trusted Hosts Only" then set the IP address(es). You can also set the actual port access for SSH from 22 to some other port under " system>Admin>Settings>Administration Settings>SSH Port" . (For something non-standard or fancy (not advisable) may be look at " config firewall local-in-policy" .)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
163 KB
4135
0 Kudos
gilfalko
New Contributor III
In response to Dave_Hall

Created on ‎05-03-2014 03:34 PM

Thanks for the reply dave! This might just work out for me. I have a handful of admin accounts. I guess I' ll have to limit them all then. Thanks alot!
4135
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎05-03-2014 03:52 PM

I mentioned the local-in-policy thing because one of our clients requested that we block an entire country from attempting to connect to the their fgt, but personally I don' t like putting something like that in because a setting like that may be easily missed in troubleshot admin connection issues.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
59 KB
4135
0 Kudos
gilfalko
New Contributor III
In response to Dave_Hall

Created on ‎05-03-2014 04:16 PM

Dave, in my case I need to grant access for our Nagios server from outside in order to run some Event Handler scripts on the forti unit. I' d like to grant just this user the access and specifically from the Nagios server address. But this might come in handy someday afterall. btw, Is " China-Country" a pre-saved variable?
4135
0 Kudos
rickards
New Contributor

Created on ‎05-05-2014 05:49 AM

It is and Firewall Adress that is based on GEO IP with China as country with an arbitrary name.
4135
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.