Restrict Inbound HTTPS traffic to a specific IP

Steven_Lengua · ‎10-27-2014

We have a Fortigate 600C. At the moment you can get to our Firewall admin page through https from the internet. What is the best way to lock down this access to only allow access from specific IP's? So, we would still like access to the admin page and to get logged in from the internet, but only from specific IP addresses.

Thanks in advance. New to Fortinet and need all the assistance I can get.

CAlengua

ede_pfau · ‎10-28-2014

Hi Steven,

there is a feature called "Trusted Hosts" explicitely for this situation.

In the Web GUI, go to "System" > "Admin" > "Administrators" > "edit".

Now if you check the option "Restrict this Admin Login from Trusted Hosts Only" you get 3 input fields where you can enter host addresses and netmasks. You can specify a single host like "1.2.3.4/32" or a subnet like "10.11.12.0/28".

Beware that as long as ANY admin allows all hosts you can always access the FGT from any address. So make it tight.

edit: I'm sorry. This was easily the longest post on the forums ever. Either I'm too dumb just pasting in a screenshot, or the forum software doesn't really cut it. I had seen the screenshot OK in the preview. Why can't I attach a .png??

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

ede_pfau · ‎10-28-2014

Hi Steven,

there is a feature called "Trusted Hosts" explicitely for this situation.

In the Web GUI, go to "System" > "Admin" > "Administrators" > "edit".

Now if you check the option "Restrict this Admin Login from Trusted Hosts Only" you get 3 input fields where you can enter host addresses and netmasks. You can specify a single host like "1.2.3.4/32" or a subnet like "10.11.12.0/28".

Beware that as long as ANY admin allows all hosts you can always access the FGT from any address. So make it tight.

edit: I'm sorry. This was easily the longest post on the forums ever. Either I'm too dumb just pasting in a screenshot, or the forum software doesn't really cut it. I had seen the screenshot OK in the preview. Why can't I attach a .png??

Ede Kernel panic: Aiee, killing interrupt handler!

Steven_Lengua · ‎10-28-2014

This is helpful, but won't this still allow all addresses to get to the admin page? They won't be able to log in but won't they get the login screen?

CAlengua

Dave_Hall · ‎10-28-2014

Steven Lengua wrote:
This is helpful, but won't this still allow all addresses to get to the admin page? They won't be able to log in but won't they get the login screen?

Can't see Ede's image, but I posted my reply to your same exact question in User and Authentication.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Steven_Lengua · ‎10-28-2014

Thanks. I couldn't figure out how to delete it this thread in Log and Report and post in the more appropriate forum section. So ended up being in two different places.

CAlengua

Restrict Inbound HTTPS traffic to a specific IP

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website