We've got an HVAC vendor with remote access to our HVAC controls. I have a policy set to allow access to our HVAC from their home office IP to one our external IPs and a Fortigate VIP to an internal address. The only services allowed on this policy are a list of TCP ports they need to access the HVAC.
Here's the issue: They changed their support to field technicians who want to access our site via hotspots while the are out in the field, not their home office.
What are some best practices for adjusting the sources on the policy to accommodate for these hotspots without opening up this public IP to all the world? Since they are using their cell phones, I don't think I can whitelist a set of addresses, because they'll keep changing. What's the best practices here? Thank you.