Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ArifS
Contributor

Created on ‎07-24-2023 10:34 PM

Restricting access to management console in FortiAuth

I configured allow access from specific subnets under admin user configuration, but it still allows access from anywhere. Is there anything am I missing?

FortiAuthAdmin.JPG

 

Labels:
1631
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to ArifS

Created on ‎08-02-2023 07:24 AM

FAC will check the request and refuse the connection if the URL will have a different domain. In your case I suspect from the browser you typed the URL of the the proxy. You have the option to allow all or manually specify the domains you can use on the end user browser to access FAC.

access.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

1364
0 Kudos
12 REPLIES 12
Markus_M
Staff
Staff

Created on ‎07-25-2023 12:04 AM

Hi Arif,

 

you say allow access - this means access to see the page (normal) or access to login (that would be denied).

I suggest blocking other unwanted subnets from the firewall. If you try to block access from external then I suggest using one port internally for admin access and another port for the external access. Normally only push notification services need access from outside.

 

Best regards,

 

Markus

1251
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-25-2023 01:08 AM Edited on ‎07-25-2023 01:13 AM

The login page will be accessible but the login will fail with a general error: "Please enter correct credentials. Note that password is case-sensitive."

admins.PNG

 

As suggested you can limit GUI access from a firewall or remove Admin access from the interface that is facing the public network and enable it only on a private interface.

port-level.PNG

 

You may also consider adding a static route for the management network if they are in different subnets:

static route.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1244
ArifS
Contributor

Created on ‎07-25-2023 05:06 PM

At the moment there is only port configured which give admin access as well as push notification. If I want to change admin access to deferent IP, does it mean I have to add another port with deferent ip?

1224
0 Kudos
ebilcari
Staff
Staff
In response to ArifS

Created on ‎07-26-2023 12:46 AM

If you want to completely disable the admin login page from outside, yes you need to configure another interface (+static route) and enable Admin GUI access only to the internal interface (recommended).

If you want to limit the ability of the administrator to login only from specific source IP than you can do it with the configuration you already shared. You have to check all the admin users and limit their subnets accordingly (it may be vulnerable to IP spoofing).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1209
0 Kudos
ArifS
Contributor

Created on ‎07-26-2023 09:07 PM

We only opened port 8443 from outside for push notification, but internally push notification only accept response on port 443. So we nated external port 8443 to port 443, however this also gives access to console via port 8443 from outside. If we can change FortiAuth push notification port to port 8443, it should block access to console from outside. So is there a way to change push notification listening port to 8443.

1190
0 Kudos
Markus_M
Staff
Staff
In response to ArifS

Created on ‎07-27-2023 05:05 AM

No, it cannot be done. FortiAuthenticator only listens on port 443.

Emirjon already posted what is possible:

As suggested you can limit GUI access from a firewall or remove Admin access from the interface that is facing the public network and enable it only on a private interface.

Create two ports

- one for admin, not publicly reachable.

- one for push only, publicly reachable, but not presenting the login.

 

1181
0 Kudos
ArifS
Contributor

Created on ‎07-29-2023 01:17 AM

I tried to add second port but it does not allow to use same subnet. I think I only go option of limiting admin access from the subnet, but that is not working. it still allows access from any subnet.

1143
0 Kudos
ebilcari
Staff
Staff
In response to ArifS

Created on ‎07-30-2023 12:24 AM

The second port need to be in a separate subnet. It can't share the same subnet because it will mess up the routing table. In this case it have to be treated similar to an OOBM.

 

Regarding the limitations for specific subnets, that option is for limiting access to that admin user only. The login page will be loaded and the user is prompted for credentials but it will generate the standard wrong credentials if opened from another subnet that is not added as trusted,

What firmware version are you using in FAC?

Can you share a snapshot of the logs: Logging> Log Access> Logs when you try to login with this admin user?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1092
0 Kudos
ArifS
Contributor

Created on ‎07-30-2023 01:19 AM

It prevented access from the internet with following error message, it does prevent from internet.

"Local administrator authentication with no token failed: Login attempt from untrusted subnet"

However, it does allow access from our vpn sites with following message. I was hopping it should only allow access from the same subnet. Anyway, my purpose was to prevent login from internet which is working.

"Web access granted to 'admin'

1085
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.