Hi!
There seems to be a severe limitation with 'firewall local-in-policy' as scalable substitute for 'system admin' limit of 10 trusthosts.
Since (a) 'firewall local-in-policy' cannot reference 'system admin user' as allowed source; nor (b) 'system admin user' can specify a 'firewall local-in-policy' that may enforce access we seem to be stuck with trusthosts.
For example, a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?
Feren
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 09-09-2024 06:40 PM Edited on 09-09-2024 06:41 PM
If you have to limit the allowed sources per admin user, only way to set the different restrictions is by trusthosts, because they're configured at each user, or per user.
All other methods, regarless local-in-policies or regular (inter-interface) policies, can limit IP addresses and/or services/ports. Those policies can't look into the content of HTTP or SSH SYN packets ("username") to take different actions.
Toshi
Hi @AlexFerenX
Well you have to be careful. It will not do it directly. You need to make sure that GUI access is not allowed on any other interface.
The way you would do it is through the firewall policy mentioned in the article. You would mention both user group and IP under source in separate policies.
So first policy would have user group with admin A and IP configured as X and second firewall policy would have user group with admin B and IP configured as Y.
This way the traffic is passed to loopback interface only if both group and IP match.
I have not tested this so you may need to test this to confirm.
Can you tell what is your larger concern here?
Is it that the admin may login with another admin's credential?
You could also use Multi Factor Authentication for that.
Regards,
Varun
Created on 09-10-2024 03:16 PM Edited on 09-10-2024 03:18 PM
Hi @vbandha ,
> Can you tell what is your larger concern here?
As I've answered before:
> first of all I'm not quite sure about WHY would you like to workaround trusted hosts?
I think I answered this in very first sentence - "... as scalable substitute for 'system admin' limit of 10 trusthosts.". Perhaps unclear, but 10 isn't enough!! If FortiOS only allowed 10 "firewall local-in-policy" entries - would that be enough?
> I have not tested this so you may need to test this to confirm.
the requirement is simple (again, for clarity keyword is: "scalable"). I understand you (personally) may not be obliged to provide a KB to cover it, but, Fortinet should... if it is possible.
Thanks, Feren
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1672 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.