Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Need to block access to FortiManager, similar to local-in-policy

We've been managing our FGTs with FMG for a while, and we've been trying to figure out how to restrict access to the FMG. We are using SAML SSO, so trusted hosts option isn't available - at least, it doesn't appear that logins for SSO can be restricted to trusted hosts. I also don't see an option for implementing local-in-policy. Even though all our FGTs are controlled by these controls, our FMG isn't - anyone in our organization can attempt to login, though we do have logins restricted to a particular group. Especially in light of the critical FMG vulnerability last year, this seems like a serious oversight if it can't be done - hence, I believe it can, but we just can't find the right area to configure.

 

How are you folks approaching limiting access to which hosts can log into the FMG?

11 REPLIES 11
funkylicious
SuperUser
SuperUser

I usually control who can access what, on FMG and FAZ with firewall rules on the FGT in front of them.

For FAC I use 2 nics, one for WAN where I enable FortiToken and one for LAN for management.

"jack of all trades, master of none"
"jack of all trades, master of none"
albaker1
Contributor

I was hoping this wasn't the best option, but I guess that isn't the case. We just replaced our Cisco firewalls with FGTs, and a guy on the team jokingly suggested this morning of putting one of the Firepowers in front of the FMG. I am surprised that access to the FMG isn't more robust.

 

funkylicious

Well, it's best practice to have one or more firewall in front of any public facing applications/servers and not exposed them directly... you can put any kind/vendor of firewall in front of it.

"jack of all trades, master of none"
"jack of all trades, master of none"
chall_FTNT
Staff
Staff

Local-in policies exist on FMG (7.2.0 & later) as well.
For an example, see: PSIRT | FortiGuard Labs

If you are looking to restrict access specifically for the FGFM protocol, consider enabling "fgfm-deny-unknown" to restrict registration/connection attempts only to know FortiGates.

Chris Hall
Fortinet Technical Support
albaker1

This is only part of the problem, so this is great to know. We're wanting to also restrict administrator access to only a handful of subnets.

Toshi_Esumi

Separating admin access and use another interface/port dedicated for it is recommended.

Toshi

albaker1
Contributor

We don't allow any management interface directly from the Internet, and we generally don't even allow management access from our entire internal network. Our machines are assigned to subnets when we log into VDI, so we're trying to restrict access to only those subnets. Admin and data access are separated.

Toshi_Esumi

upgrade the FMG to 7.2 when all managed FGTs are upgraded to at least 7.0, then use a local-in-policy then.

Toshi

chall_FTNT
Staff
Staff

As for admin users of type SSO, the trusted host configuration should be configured on the IDP server.

Chris Hall
Fortinet Technical Support
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors