Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MikePruett
Valued Contributor

Restrict management access to a certain country

I know that you can restrict administrative logins for certain accounts to certain IP spaces.

 

I was wondering if there is a way to restrict the HTTPS page from being viewed at all unless it came from Country "A"

Mike Pruett Fortinet GURU | Fortinet Training Videos
1 REPLY 1
Dave_Hall
Honored Contributor

You can do this by defining a geography firewall label then create a local-in-policy that allows access on port 443.

config firewall address
edit "Canada"
set associated-interface "wan1"
set type geography
set country CA
next
end
config firewall local-in-policy
edit 0
set intf "wan1"
set srcaddr "Canada"
set dstaddr "all"
set action accept
set service "443"
set schedule "always"
next
end

 

Personally, I feel this approach is not best practice -- you'll better off setting up the admin access ports on the Interface and restricting admin access from trusted hosts (see attached pic).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors