Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Local-in policy for system admin user
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Local-in policy for system admin user
Hi!
There seems to be a severe limitation with 'firewall local-in-policy' as scalable substitute for 'system admin' limit of 10 trusthosts.
Since (a) 'firewall local-in-policy' cannot reference 'system admin user' as allowed source; nor (b) 'system admin user' can specify a 'firewall local-in-policy' that may enforce access we seem to be stuck with trusthosts.
For example, a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
Feren
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AlexFerenX,
first of all I'm not quite sure about WHY would you like to workaround trusted hosts?
As those are designed exactly to do what you seems me are trying to achieve.
Which is to limit specific admin to specific IP/NETs from which he can log into FortiGate's management interface.
Every single admin has his list of 10 trusted hosts.
And kindly note that those are not just "single host" IPs but actually subnets!
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/014906/administrator-account...
The local-in policies are on the other hand designed to generally block any traffic targeting FortiGate directly. So not a forwarded / pass-through traffic which is handled by regular firewall policies.
But traffic where some of FortiGate's interface IPs is actual destination address of the packets.
Those local-in policies and trusted hosts are two different tools.
However, they can work together as extended fortification for your FortiGate unit.
If you are worried about bad guys accessing your FortiGate from public side. And so you'd like to limit the access to management from outer world. Then how about to block it completely from outside and use one of Fortinet's VPN solutions to actually get "inside" the network. And then access FortiGate's management from internal / private side. And there you would have also firewall policies for VPN to further harden your perimeter.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Created on 09-06-2024 05:25 AM Edited on 09-06-2024 05:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for replying...
> first of all I'm not quite sure about WHY would you like to workaround trusted hosts?
I think I answered this in very first sentence - "... as scalable substitute for 'system admin' limit of 10 trusthosts.". Perhaps unclear, but 10 isn't enough!! If FortiOS only allowed 10 "firewall local-in-policy" entries - would that be enough?
In our case, those 10 trusthosts are meant to cover a dozen Network and security appliances monitoring the Fortigate, in addition to multiple jumpservers used by administrators spread across multiple regions. [And.. no, this isn't about a single user, this is a 'system admin user' with 'wildcard' enabled - many different users authenticated/authorised using a single 'remote-group']
So... back to question:
> For example, a simplest security requirement is ... how can this be implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
Is the answer... it cannot?
Feren.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
"dozen Network and security appliances monitoring the Fortigate" and wildcard user.
Well, admin accounts are usually for humans.
If you have that big network, then are you monitoring everything via SSH or HTTPS to FGT?
How about API access, or SNMP which has separate access rules?
I understand that if you have hundreds of jumphosts and would like to define every single of them as single IP/32 in trusted hosts that then you do not have enough of them. But aren't your jumphosts and management appliances actually in some management (OOB) subnets? Or how about VPN workaround limiting access.
As you found out, local-in-policy in let's say srcaddr accepts just firewall address objects, not a local users, admins or user groups. As it is NOT designed to trigger any authentication, but limit L2/L3 access to FGT's interfaces. Then it is not suitable to anyhow filter admins themselves, only their source IPs/Subnets where they can come from.
As I said, as complementary hardening, or replacement, for/to trusted hosts.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX
In addition to the recommendation mentioned above, you can also look into providing GUI access via Loopback interface. You can do port forwarding from Wan interface to a loopback interface and enable the HTTPS access on the loopback interface.
This will give you a lot more options over controlling this access compared to local in policy. You will need to create a firewall policy to allow this traffic and you can put restrictions on this policy as per requirement. You will not have limit of 10 trusted hosts here.
Regards,
Varun
Created on 09-08-2024 03:41 AM Edited on 09-08-2024 04:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vbandha
thanks for replying...
Our administrative access isn't from Internet - it's either to 'system ha' 'direct-ha' interface IP address; or, via Intranet-facing VDOM to root VDOM's IP address connected to that VDOM using vdom-link or npuX-vlinkY inter-VDOM interfaces.
Your idea is interesting - perhaps you can formalize it by presenting associated CLI configurations - I'm sure surprisingly many would be very interested?
Feren.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX
As per your request, I will create an article going over the steps and post it here once it is published.
Regards,
Varun
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Created on 09-09-2024 05:17 PM Edited on 09-09-2024 05:29 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @vbandha
I must be missing something... How does your KB facilitate this:
.. a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
I'm still dependent on trusthosts, to control access by different administrators - no?
BTW, something I don't understand - modern Fortinet KBs involve so many screenshots and explanations of the screenshots - why not just paste CLI configurations - KBs will be less ambiguous, more concise and easier to adapt? That KB can be 1/3 of the volume it is now - is there some incentive to pad out KBs?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Routing with two wan int 288 Views
- User Centric Policies on Fortigate 263 Views
- Parse Fortigate Syslog to JSON with... 357 Views
- Compliance Scan Configuration for Delayed OS... 260 Views
- What FortiOS Event Logs should i... 1237 Views
Labels
-
FortiGate
8,348 -
FortiClient
1,687 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
533 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
393 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1633 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.