Local-in-Policy: Deny Admin Access

Fortigate allows you to setup trusted hosts. Trusted hosts means you allow the admin to access the firewall from that IP. However, the Fortigate landing page is still available to a non-trusted host. So how do we avoid a “Brute force Attack” or attempts. Using a Local-in-Policy to deny access to the landing page altogether.

  1. Log onto the firewall.
  2. Go to system > feature visibility
  3. Enable “Local-in-policy”.

NOTE: You will need to configure this via CLI.

Run the following commands:

FORTIGATE #conf fire local (shortened version) <— Entering into the configuration mode

FORTIGATE # (local-in-policy) # edit 1 <—– Adding the rule

new entry ‘1’ added <—- confirms that the rule was added

FORTIGATE # set intf wan1 <— setting the source interface. You will have to create a rule for all the different WAN interfaces.

FORTIGATE # set srcaddr DeniedByLocation <—– I am using a Geo Group to deny. You can use IP, groups, ranges etc.

FORTIGATE # set schedule always <— this means the rule will always be on.

FORTIGATE # set dstaddr all <—– any destination

FORTIGATE # set comments “deny by location” <— noting what the rule is meant for.

FORTIGATE # set action deny <— action for the rule.

FORTIGATE # end <– complete adding the rule

Then run the following to show the policy added:

show firewall local-in-policy

This should deny any unwanted users or intruders from accessing the landing page of the firewall.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.