Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rc42
New Contributor

Management access from a specific outside site, I thought it was simple

I've done this countless times on non-Fortinet firewalls so the concepts are far from new for me.

 

I want to be able to access the management web page from the outside, from a specific IP address.

I do not want to limit in any way the access on other interfaces. Some of the subnets get changed and I don't want to use the permitted host in the management because this could result in the firewall not be accessible. I also need to use the same username outside as in.

 

Normally I would enable https management, and creat an ACL that permitted access to https, on the outside interface, from a specific subnet. And the implicit deny would take care of the rest.

 

But on the Fortigate when I enable the management access it lets in https from everywhere.

I tried creating a specific inbound policy limiting inbound https to the subnet, and a specific deny policy for https from everywhere (in sequence after the permit). But this seems to do nothing.

4 REPLIES 4
Dave_Hall
Honored Contributor

I think you want restrict login to trusted hosts.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
rc42
New Contributor

Sorry, I used the term "permitted" host not "trusted" host in my post. This won't work from a practical standpoint because of the conditions.

The IP subnets behind the firewall are excessive, and subject to change by persons other than myself. This could easily result in the firewall not being accessible following a subnet change.

This also prevents me from using multple usernames. Since an unrestricted username could be used either internally or externally.

 

I'm a little surprised that Fortigate doesn't allow an ACL instead of, or in front of, the interface settings, even through the CLI. I just assumed I was missing something.

 

Dave Hall wrote:

I think you want restrict login to trusted hosts.

 

 [attachImg]https://forum.fortinet.com/download.axd?file=0;172802&where=message&f=Restrict login to rusted hosts.jpg[/attachImg]

jamesmeuli
New Contributor II

Have a look at local-in policies mate. 

rc42
New Contributor

jamesmeuli thanks that's just what I was looking for.

A quick little CLI:

 

config system interface edit wan1 set allowaccess ping https fgfm next end

config firewall address edit 1-public-IP set subnet xxx.xxx.xxx.xxx 255.255.255.xxx next edit 2-public-IP set subnet yyy.yyy.yyy.yyy 255.255.255.xxx

next edit Primary-Internet-IP set subnet zzz.zzz.zzz.zzz 255.255.255.255 end

config firewall addrgrp edit public-IPs set member 1-public-IP 2-public-IP next end

config firewall local-in-policy edit 1 set intf wan1 set srcaddr public-IPs set dstaddr Primary-Internet-IP set action accept set service HTTPS set schedule always set status enable next edit 2 set intf dmz set srcaddr all set dstaddr Primary-Internet-IP set service HTTPS set action deny set schedule always set status enable next end

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors