By default you can connect to any firewall interface which has administrative traffic enabled, for example:
- The firewall internal interface is configured for 192.168.1.1/24 and to accept ping, https and ssh
- The trusted hosts for your admin account are configured for 0.0.0.0/0 and you only have one account configured
- You are located on the 192.168.44.0 network and can reach the firewall's internal interface via a router
- You can ping the firewall and access the login screens for the web gui as well connect to port 22 to attempt to authenticate via SSH. If you provide the correct credentials for the admin user you will be granted access.
- Under System -> Admin edit the appropriate user
- Set Trusted Host #1 to 192.168.1.0/24 and ignore the other two
Multiple Administrator Accounts
If you have multiple administrator accounts defined be aware that all of the trusted hosts for all accounts need to be configured exactly the same for this to work as shown in the next screenshot.
If any of the trusted hosts defined are different when compared between admin accounts the interfaces will be reachable again. However you will of course only be able to login if your IP address matches the trusted hosts defined in your admin account.
Also make sure you remember that your firewall interfaces are locked down so you don't start wondering why all of a sudden your firewall no longer responds to pings. (That has of course never happened to me ;)
4 comments:
And other administrative functions, like SNMP, are also implicitly affected by the administrator trusted IP blocks as well.
If SNMP isn't working, make sure that the range of IPs you are querying from is also listed as being allowed to login for one of the admin accounts.
Another idea complements of the FortiGate v4.0 CLI Reference page 370:
strong-crypto
{enable | disable}
Default Setting: disable
Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for
HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta). Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.
thanks dear
it helped me to resolve the issue
How can allow access to ui using internal interface of fw while accesing from remote site ssl vpn
Thanks
Post a Comment