Technical Tip: Restrict public access to FortiAuthenticator to push notifications only

Description
As a part of two-factor authentication and the push notification flow, the FortiToken Mobile app needs to communicate directly with FortiAuthenticator using REST API.
FortiAuthenticator needs to be publicly accessible over the internet for this, and so in certain scenarios it may be desirable to completely block public access to everything except the push response endpoint.

This article describes a simple method to configure such restriction, using the Web Application Firewall (WAF) UTM feature available in FortiOS.

Scope
This article does not cover the initial setup for two-factor authentication with push notifications, and assumes that this is feature is already functioning in the environment.

Solution
Create a WAF profile with a restriction to allow only the HTTP PUSH method and only the /api/v1/pushauthresp/ path.
(This is the method and path used to deliver push responses to the FortiAuthenticator).

# config waf profile
    edit "fac_push_only"
        # config method
            set status enable
            set log enable
            # config method-policy
                edit 1
                    set pattern "/api/v1/pushauthresp/" #allow only this URL path
                    set address "all"
                    set allowed-methods post #allow only HTTP POST method
                next
            end
        end
    next
end

Enable the new WAF profile in the corresponding policy that is used to process traffic from the FortiToken Mobile app to the FortiAuthenticator.
Note that the policy (or the VDOM in earlier versions of FortiOS) has to be set to proxy inspection mode, and deep SSL inspection needs to be applied as well (required due to the traffic using encrypted HTTPS).

# config firewall policy
    edit 123
        set name "FAC push response"
        set srcintf "<internet-facing interface>"
        set dstintf "<local interface towards FAC>"
        set srcaddr "all"
        set dstaddr "<VIP object for accessing FAC>"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable <===
        set inspection-mode proxy <===
        set ssl-ssh-profile "deep-inspection" <===
        set waf-profile "fac_push_only" <===
    next
end

Verification.

Any application or utility capable of sending requests over HTTPS can be used.
The tests below use the curl tool.

1) POST request to the correct REST API endpoint. Should be allowed.

$ curl -X POST --insecure https://my-fac.exampledomain.com/api/v1/pushauthresp/

Expected result:

{"error": "Request is not valid JSON."}

(The error comes from FortiAuthenticator due to the request not containing any real push response, and can be safely ignored.)

2) GET request to the same address. Should be blocked as only POST requests are allowed by the WAF profile.

$ curl --insecure https://my-fac.exampledomain.com/api/v1/pushauthresp/

Expected result: HTML page with text disclaimer saying:

The transfer has triggered a Web Application Firewall.

This transfer is blocked.
URL: https://my-fac.exampledomain.com/api/v1/pushauthresp/
Event Type:  method restriction

3) POST or GET request for a different URL path. Should be blocked, as only the push response path is allowed.

$ curl --insecure https://my-fac.exampledomain.com/bad/path/example

Expected result is the same as in the previous test.

4) Blocking can also be verified by opening a URL that is not allowed from a browser. A blocked request will display the following disclaimer.