Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Steven_Lengua
New Contributor

Restrict Inbound HTTPS traffic to a specific IP

We have a Fortigate 600C. At the moment you can get to our Firewall admin page through https from the internet. What is the best way to lock down this access to only allow access from specific IP's? So, we would still like access to the admin page and to get logged in from the internet, but only from specific IP addresses.

 

Thanks in advance. New to Fortinet and need all the assistance I can get.

 

CAlengua

CAlengua
1 Solution
ede_pfau
Esteemed Contributor III

Hi Steven,

 

there is a feature called "Trusted Hosts" explicitely for this situation.

In the Web GUI, go to "System" > "Admin" > "Administrators" > "edit".

Now if you check the option "Restrict this Admin Login from Trusted Hosts Only" you get 3 input fields where you can enter host addresses and netmasks. You can specify a single host like "1.2.3.4/32" or a subnet like "10.11.12.0/28".

 

Beware that as long as ANY admin allows all hosts you can always access the FGT from any address. So make it tight.

 

 

edit: I'm sorry. This was easily the longest post on the forums ever. Either I'm too dumb just pasting in a screenshot, or the forum software doesn't really cut it. I had seen the screenshot OK in the preview. Why can't I attach a .png??


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
4 REPLIES 4
ede_pfau
Esteemed Contributor III

Hi Steven,

 

there is a feature called "Trusted Hosts" explicitely for this situation.

In the Web GUI, go to "System" > "Admin" > "Administrators" > "edit".

Now if you check the option "Restrict this Admin Login from Trusted Hosts Only" you get 3 input fields where you can enter host addresses and netmasks. You can specify a single host like "1.2.3.4/32" or a subnet like "10.11.12.0/28".

 

Beware that as long as ANY admin allows all hosts you can always access the FGT from any address. So make it tight.

 

 

edit: I'm sorry. This was easily the longest post on the forums ever. Either I'm too dumb just pasting in a screenshot, or the forum software doesn't really cut it. I had seen the screenshot OK in the preview. Why can't I attach a .png??


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Steven_Lengua
New Contributor

This is helpful, but won't this still allow all addresses to get to the admin page? They won't be able to log in but won't they get the login screen?

CAlengua

CAlengua
Dave_Hall

Steven Lengua wrote:

This is helpful, but won't this still allow all addresses to get to the admin page? They won't be able to log in but won't they get the login screen?

Can't see Ede's image, but I posted my reply to your same exact question in User and Authentication.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Steven_Lengua
New Contributor

Thanks. I couldn't figure out how to delete it this thread in Log and Report and post in the more appropriate forum section. So ended up being in two different places.

CAlengua

CAlengua
Labels
Top Kudoed Authors