HA wrote:First, I create an admin profile with NONE privilege.
Next, a create a user 'called it PING' with the NONE profile and NO IP restriction (to allow ping from everywhere).
Next, I limit the admin user to specific IP Range.
The external user can still try to connect but even if they discover the PING password, no privilege will be granted...
I tried that route as well, but I never want everyone to have an open port accessible. In this case, i would completely rely on the security functions of the device. What if the account login functionality got a flaw?
HA wrote:I personally used the following method.
First, I create an admin profile with NONE privilege.
Next, a create a user 'called it PING' with the NONE profile and NO IP restriction (to allow ping from everywhere).
Next, I limit the admin user to specific IP Range.
The external user can still try to connect but even if they discover the PING password, no privilege will be granted...
I am essentially doing the same thing. I have a user with no access and a very long password with no IP restrictions. This will allow PING to work.
But, I grew tired of changing my other admin ports like HTTPS and SSH to something else. Even when I did change them, I still had people discover them and try daily to login (didn't happen at all sites though). I then decided to switch back to standard port numbers but use local-in policies to totally block all access to sensitive ports like HTTPS and SSH from everywhere except trusted IPs. PING still works because of the extremely limited user account and no special rules were needed in the local-in policies.
Like I said at one point, Fortinet should make it much easier to control PING separately from the other administrative services.
I take the same approach as HA but use a password characters of 20+ and with two-form authentication than allow that guys un-trust access.
For basic admin access do like he stated, create a "NONE" profile ( he mention priv but is a profile with nothing allow ) and apply that to the ping user.
Ken
PCNSE
NSE
StrongSwan
Valid points you have to analyze the risk. If you create a weird username and with a max password characters and then enable two-factor, your risk of exposure is minimal.
1st they person has to KNOW the account to enter any next step
2nd they would need to know your long passsword
3rd they would need to know the token
That's alot of information the attacker could never acquire. In my case for the token I sent it to a nobody account.
e.g
So when they are challenged & if they managed to find steps #1 and #2 ( very highly unlikely btw ) they would never have the token since they are unaware of what the token is.
It's like 110% fool-proof imho and allow you have a ping service for whoever need to ping you. Sinec I've used this approach that HA has mention and changing the ssh to port xx22 all of my unauthorized logins ssh has been eliminate and I never had a failed web login.
And as what HA mention if they could get thru steps #1 #2 #3 , they have "NONE" privilege to do anything. Once again, this is like 10000000% fool-proof.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.