Sometimes it’s just unavoidable that you need to do in-band management of firewalls. This is particularly the case if the firewall is hosted externally – such as within AWS. Here’s a quick recipe on restricting management access to the FortiGate firewall. ## Create Object Group for Management Clients Firstly, create an IP address object group in the web GUI. Call it `Firewall_Management` ## Configure the Inbound Policy Now, log into the command-line interface ( CLI ). You can do this via an SSH session or using the CLI window in the web GUI dashboard. Here’s the dialog: ```bash Fortigate # Fortigate # config firewall local-in-policy Fortigate (local-in-policy) # ? edit      Add/edit a table value. delete    Delete a table value. purge     Clear all table values. move      Move an ordered table value. clone     Clone a table entry. get       Get dynamic and system information. show      Show configuration. end       End and save last config. Fortigate (local-in-policy) # show Fortigate (local-in-policy) # edit 1 new entry '1' added Fortigate (1) # set ? *intf                 Source interface name. *srcaddr              Source address name. *dstaddr              Destination address name. action               Local-In policy action. *service              Service name. *schedule             Schedule name. auto-asic-offload    Enable/disable policy traffic ASIC offloading. status               Enable/disable policy status. Fortigate (1) # set intf <string>        please input string value any             match any interface in the virtual domain Internet        interface port1(External) interface port2(Internal) interface port3(DMZ)      interface Fortigate (1) # set intf Internet Fortigate (1) # set srcaddr Firewall\_Management Fortigate (1) # set dstaddr al *name    Address name. Fortigate (1) # set dstaddr all entry not found in datasource value parse error before 'all' Command fail. Return code -3 Fortigate (1) # set dstaddr Any Fortigate (1) # set action accept Fortigate (1) # set service SSH HTTPS Fortigate (1) # set schedule always Fortigate (1) # show config firewall local-in-policy     edit 1         set intf "Internet"         set srcaddr "Firewall_Management"         set dstaddr "Any"         set action accept         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (1) # next Fortigate (local-in-policy) # edit 2 new entry '2' added Fortigate (2) # set intf "Internet" Fortigate (2) # set srcaddr Any Fortigate (2) # set dstaddr Any Fortigate (2) # set service SSH HTTPS Fortigate (2) # set schedule always Fortigate (2) # set action deny Fortigate (2) # show config firewall local-in-policy     edit 2         set intf "Internet"         set srcaddr "Any"         set dstaddr "Any"         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (2) # next Fortigate (local-in-policy) # edit      Add/edit a table value. delete    Delete a table value. purge     Clear all table values. move      Move an ordered table value. clone     Clone a table entry. get       Get dynamic and system information. show      Show configuration. end       End and save last config. Fortigate (local-in-policy) # show config firewall local-in-policy     edit 1         set intf "Internet"         set srcaddr "Firewall_Management"         set dstaddr "Any"         set action accept         set service "SSH" "HTTPS"         set schedule "always"     next     edit 2         set intf "Internet"         set srcaddr "Any"         set dstaddr "Any"         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (local-in-policy) # end Fortigate # Fortigate # Fortigate # config firewall local-in-policy Fortigate (local-in-policy) # ? edit      Add/edit a table value. delete    Delete a table value. purge     Clear all table values. move      Move an ordered table value. clone     Clone a table entry. get       Get dynamic and system information. show      Show configuration. end       End and save last config. Fortigate (local-in-policy) \# show Fortigate (local-in-policy) \# edit 1 new entry '1' added Fortigate (1) # set ? *intf                 Source interface name. *srcaddr              Source address name. *dstaddr              Destination address name. action               Local-In policy action. *service              Service name. *schedule             Schedule name. auto-asic-offload    Enable/disable policy traffic ASIC offloading. status               Enable/disable policy status. Fortigate (1)\# set intf <string>        please input string value any             match any interface in the virtual domain Internet        interface port1(External) interface port2(Internal) interface port3(DMZ)      interface Fortigate (1) # set intf Internet Fortigate (1) # set srcaddr Firewall\_Management Fortigate (1) # set dstaddr al *name    Address name. Fortigate (1) # set dstaddr all entry not found in datasource value parse error before 'all' Command fail. Return code -3 Fortigate (1) # set dstaddr Any Fortigate (1) # set action accept Fortigate (1) # set service SSH HTTPS Fortigate (1) # set schedule always Fortigate (1)# show config firewall local-in-policy     edit 1         set intf "Internet"         set srcaddr "Firewall_Management"         set dstaddr "Any"         set action accept         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (1) # next Fortigate (local-in-policy) # edit 2 new entry '2' added Fortigate (2) # set intf "Internet" Fortigate (2) # set srcaddr Any Fortigate (2) # set dstaddr Any Fortigate (2) # set service SSH HTTPS Fortigate (2) # set schedule always Fortigate (2) # set action deny Fortigate (2) # show config firewall local-in-policy     edit 2         set intf "Internet"         set srcaddr "Any"         set dstaddr "Any"         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (2) # next Fortigate (local-in-policy) # edit      Add/edit a table value. delete    Delete a table value. purge     Clear all table values. move      Move an ordered table value. clone     Clone a table entry. get       Get dynamic and system information. show      Show configuration. end       End and save last config. Fortigate (local-in-policy) # show config firewall local-in-policy     edit 1         set intf "Internet"         set srcaddr "Firewall_Management"         set dstaddr "Any"         set action accept         set service "SSH" "HTTPS"         set schedule "always"     next     edit 2         set intf "Internet"         set srcaddr "Any"         set dstaddr "Any"         set service "SSH" "HTTPS"         set schedule "always"     next end Fortigate (local-in-policy) # end Fortigate # ``` ## Verification and testing Here’s the verification and testing steps to confirm everything is all good: - Confirm that access from members of the Firewall_Management group can connect with SSH and HTTPS OK - Confirm that access from a few other clients cannot access the management interface ## Sources ```cardlink url: https://crypt.gen.nz/2017/08/18/restricting-management-access-to-fortigate-firewalls/ title: "Restricting Management Access to Fortigate Firewalls" description: "Sometimes it's just unavoidable that you need to do in-band management of firewalls. This is particularly the case if the firewall is hosted externally - such as within AWS. Here's a quick recipe on restricting management access to the Fortigate firewall. I've written a similar topic for the Juniper SRX on controlling management access to ..." host: crypt.gen.nz ```