Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFerenX
New Contributor III

Local-in policy for system admin user

Hi!

There seems to be a severe limitation with 'firewall local-in-policy' as scalable substitute for 'system admin' limit of 10 trusthosts.

 

Since (a) 'firewall local-in-policy' cannot reference 'system admin user' as allowed source; nor (b) 'system admin user' can specify a 'firewall local-in-policy' that may enforce access we seem to be stuck with trusthosts.

 

For example, a simplest security requirement is: two ('system admin' with 'wildcard' and 'remote-group') administrator users A & B, where A are only allowed from login from host X, and B are only allowed to login from host Y, how can this implemented using local-in-policy (or any other way except 'system admin' trusthosts)?

 

Feren

 

12 REPLIES 12
Toshi_Esumi

If you have to limit the allowed sources per admin user, only way to set the different restrictions is by trusthosts, because they're configured at each user, or per user.
All other methods, regarless local-in-policies or regular (inter-interface) policies, can limit IP addresses and/or services/ports. Those policies can't look into the content of HTTP or SSH SYN packets ("username") to take different actions.

 

Toshi

vbandha
Staff
Staff

Hi @AlexFerenX 

Well you have to be careful. It will not do it directly. You need to make sure that GUI access is not allowed on any other interface.

The way you would do it is through the firewall policy mentioned in the article. You would mention both user group and IP under source in separate policies.
So first policy would have user group with admin A and IP configured as X and second firewall policy would have user group with admin B and IP configured as Y.
This way the traffic is passed to loopback interface only if both group and IP match.

I have not tested this so you may need to test this to confirm. 

 

Can you tell what is your larger concern here? 

Is it that the admin may login with another admin's credential?

 

You could also use Multi Factor Authentication for that. 

Regards,

Varun

AlexFerenX
New Contributor III

Hi @vbandha ,

> Can you tell what is your larger concern here? 

As I've answered before:

> first of all I'm not quite sure about WHY would you like to workaround trusted hosts?

I think I answered this in very first sentence - "... as scalable substitute for 'system admin' limit of 10 trusthosts.". Perhaps unclear, but 10 isn't enough!! If FortiOS only allowed 10 "firewall local-in-policy" entries - would that be enough?

 

> I have not tested this so you may need to test this to confirm. 

the requirement is simple (again, for clarity keyword is: "scalable"). I understand you (personally) may not be obliged to provide a KB to cover it, but, Fortinet should... if it is possible.

 

Thanks, Feren

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors