We have a Fortigate 600C. At the moment you can get to our Firewall admin page through https from the internet. What is the best way to lock down this access to only allow access from specific IP's? So, we would still like access to the admin page and to get logged in from the internet, but only from specific IP addresses.
Thanks in advance. New to Fortinet and need all the assistance I can get.
CAlengua
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Management restriction can be done in several ways. On each interface you can define which ports are open for admin access; then under the admin settings, you can define the actual port numbers themselves and the idle timeout. For each admin ID are options for restricting access to trusted IP hosts/subnets, which is likely what you want. (Not pictured are options for authentication types/two-factor authentication.)
if you are new to managing Fortigates, take a look at the Install and System Admin handbook (link is for 5.0 firmware)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Management restriction can be done in several ways. On each interface you can define which ports are open for admin access; then under the admin settings, you can define the actual port numbers themselves and the idle timeout. For each admin ID are options for restricting access to trusted IP hosts/subnets, which is likely what you want. (Not pictured are options for authentication types/two-factor authentication.)
if you are new to managing Fortigates, take a look at the Install and System Admin handbook (link is for 5.0 firmware)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
If I have several users and profiles, and I want the same restrictions for all (10.0.0.x, 10.20.0.x) should I do that in all the users?
@JohnAgora: Yes. There is no 'global' IP whitelist.
It should be mentioned that direct mgmt access from WAN is a (IMHO huge) security risk by itself. If you know the IP addresses of authorized persons in advance you should set up a VPN and access mgmt on an internal port. I prefer IPsec VPN (with long PSKs or certs) as it has not yet been compromised but a SSLVPN in tunnel mode should do as well in most cases. The additional one-time effort is small compared to the constant threat to publically exposed open ports for HTTPS or SSH (see Heartbleed etc.).
I agree. Anyhow it is not always an option, sometimes the business requirements don't match.
By the way, do you know if there's a cookbook to setup that kind of secure access (VPN+Portal on internal interface)?
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.