Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Local-in policy for system admin user
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local-in policy for system admin user
Hi!
There seems to be a severe limitation with 'firewall local-in-policy' as scalable substitute for 'system admin' limit of 10 trusthosts.
Since (a) 'firewall local-in-policy' cannot reference 'system admin user' as allowed source; nor (b) 'system admin user' can specify a 'firewall local-in-policy' that may enforce access we seem to be stuck with trusthosts.
For example, a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
Feren
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AlexFerenX,
first of all I'm not quite sure about WHY would you like to workaround trusted hosts?
As those are designed exactly to do what you seems me are trying to achieve.
Which is to limit specific admin to specific IP/NETs from which he can log into FortiGate's management interface.
Every single admin has his list of 10 trusted hosts.
And kindly note that those are not just "single host" IPs but actually subnets!
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/014906/administrator-account...
The local-in policies are on the other hand designed to generally block any traffic targeting FortiGate directly. So not a forwarded / pass-through traffic which is handled by regular firewall policies.
But traffic where some of FortiGate's interface IPs is actual destination address of the packets.
Those local-in policies and trusted hosts are two different tools.
However, they can work together as extended fortification for your FortiGate unit.
If you are worried about bad guys accessing your FortiGate from public side. And so you'd like to limit the access to management from outer world. Then how about to block it completely from outside and use one of Fortinet's VPN solutions to actually get "inside" the network. And then access FortiGate's management from internal / private side. And there you would have also firewall policies for VPN to further harden your perimeter.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Created on 09-06-2024 05:25 AM Edited on 09-06-2024 05:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for replying...
> first of all I'm not quite sure about WHY would you like to workaround trusted hosts?
I think I answered this in very first sentence - "... as scalable substitute for 'system admin' limit of 10 trusthosts.". Perhaps unclear, but 10 isn't enough!! If FortiOS only allowed 10 "firewall local-in-policy" entries - would that be enough?
In our case, those 10 trusthosts are meant to cover a dozen Network and security appliances monitoring the Fortigate, in addition to multiple jumpservers used by administrators spread across multiple regions. [And.. no, this isn't about a single user, this is a 'system admin user' with 'wildcard' enabled - many different users authenticated/authorised using a single 'remote-group']
So... back to question:
> For example, a simplest security requirement is ... how can this be implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
Is the answer... it cannot?
Feren.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
"dozen Network and security appliances monitoring the Fortigate" and wildcard user.
Well, admin accounts are usually for humans.
If you have that big network, then are you monitoring everything via SSH or HTTPS to FGT?
How about API access, or SNMP which has separate access rules?
I understand that if you have hundreds of jumphosts and would like to define every single of them as single IP/32 in trusted hosts that then you do not have enough of them. But aren't your jumphosts and management appliances actually in some management (OOB) subnets? Or how about VPN workaround limiting access.
As you found out, local-in-policy in let's say srcaddr accepts just firewall address objects, not a local users, admins or user groups. As it is NOT designed to trigger any authentication, but limit L2/L3 access to FGT's interfaces. Then it is not suitable to anyhow filter admins themselves, only their source IPs/Subnets where they can come from.
As I said, as complementary hardening, or replacement, for/to trusted hosts.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX
In addition to the recommendation mentioned above, you can also look into providing GUI access via Loopback interface. You can do port forwarding from Wan interface to a loopback interface and enable the HTTPS access on the loopback interface.
This will give you a lot more options over controlling this access compared to local in policy. You will need to create a firewall policy to allow this traffic and you can put restrictions on this policy as per requirement. You will not have limit of 10 trusted hosts here.
Regards,
Varun
Created on 09-08-2024 03:41 AM Edited on 09-08-2024 04:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vbandha
thanks for replying...
Our administrative access isn't from Internet - it's either to 'system ha' 'direct-ha' interface IP address; or, via Intranet-facing VDOM to root VDOM's IP address connected to that VDOM using vdom-link or npuX-vlinkY inter-VDOM interfaces.
Your idea is interesting - perhaps you can formalize it by presenting associated CLI configurations - I'm sure surprisingly many would be very interested?
Feren.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX
As per your request, I will create an article going over the steps and post it here once it is published.
Regards,
Varun
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Created on 09-09-2024 05:17 PM Edited on 09-09-2024 05:29 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vbandha
I must be missing something... How does your KB facilitate this:
.. a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
I'm still dependent on trusthosts, to control access by different administrators - no?
BTW, something I don't understand - modern Fortinet KBs involve so many screenshots and explanations of the screenshots - why not just paste CLI configurations - KBs will be less ambiguous, more concise and easier to adapt? That KB can be 1/3 of the volume it is now - is there some incentive to pad out KBs?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- [Help] SD-WAN with BGP on Loopback... 381 Views
- Webpage access blocked 327 Views
- Open ports for CCTV system Mobile... 237 Views
- FortiGate VPN IPSec Tx Error 647 Views
- FortiManager Cloud update pushing TACACS logging... 269 Views
Labels
-
FortiGate
8,557 -
FortiClient
1,729 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
549 -
FortiSwitch
467 -
FortiAP
462 -
FortiClient EMS
417 -
6.0
416 -
5.6
362 -
FortiMail
313 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
229 -
FortiWeb
203 -
IPsec
197 -
5.0
196 -
FortiNAC
183 -
FortiGuard
137 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
101 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
88 -
Customer Service
79 -
Wireless Controller
76 -
Firewall policy
75 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
49 -
ZTNA
47 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
43 -
FortiDNS
42 -
DNS
42 -
BGP
40 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
NAT
32 -
RADIUS
31 -
SSO
31 -
Interface
31 -
FortiConnect
28 -
FortiLink
28 -
FortiWAN
27 -
VDOM
26 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
Intrusion prevention
9 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiGate-VM
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1669 | |
| 1082 | |
| 752 | |
| 446 | |
| 225 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.