Restricting Management Access to Fortigate Firewalls

Sometimes it’s just unavoidable that you need to do in-band management of firewalls. This is particularly the case if the firewall is hosted externally – such as within AWS. Here’s a quick recipe on restricting management access to the Fortigate firewall.

I’ve written a similar topic for the Juniper SRX on controlling management access to the system by client IP address, so to maintain the thread here’s how to do the same for the Fortigate.

Unfortunately, it’s not so easy to do as with Junos. You’ll need to get into the FortiOS command-line interface to do this, nevertheless it’s fairly straightforward.

 

Create Object Group for Management Clients

Firstly, create an IP address object group in the web GUI. Call it Firewall_Management

 

Configure the Inbound Policy

Now, log into the command-line interface ( CLI ). You can do this via an SSH session or using the CLI window in the web GUI dashboard.

Here’s the dialog:

 

Verification and testing

Here’s the verification and testing steps to confirm everything is all good:

  • Confirm that access from members of the Firewall_Management group can connect with SSH and HTTPS OK
  • Confirm that access from a few other clients cannot access the management interface

Permanent link to this article: https://crypt.gen.nz/2017/08/18/restricting-management-access-to-fortigate-firewalls/