I manage a couple FortiGates at my company. Currently, I just sit down at my company PC, or if I’m remote (we have Citrix cloud), I remote into my company PC, then I’m able to connect to stuff in our environment, including the management interfaces on the FortiGates.
I do have SSL-VPN portal set up (with TOTP MFA) for a handful of users and the SSL-VPN network does not currently have HTTPS management turned on. I was going to add myself as an SSL-VPN user but then I would have to enable HTTPS management, which would probably be fine… but I’m basically enabling management on the VPN zone which I feel isn’t ideal, unless I can lock it down a bit more.
I was just wondering, is there a more ideal way to directly connect to the FortiGates via VPN in order to remotely manage?
I also have hosted FortiClient EMS server.
Configuring https on a loopback interface and the loopback you can combine with a VIP and configure GEO restriction all in one policy.
If you have fixed public IP’s you can use those in the policy where using the VIP. That in combination with trusted hosts avoids you’re not being able to login to the FGT due to some kind of SSLVPN client issue, imagine having SSLVPN and MFA not working or so, you’re not going to be able to login to the FGT. Of course the same applies if you’d enable MFA on the admin login.
You are correct, admin access should not be allowed on sslvpn interface.
Create a loopback interface. Enable https on it, create a rule from sslvpn to the loopback interface. You can control which user group will be able to reach the loopback.
No fan of loopbacks here and nit saying anyone is wrong.
In my opinion, any decent network admin/engineer would have a separate vlan/subnet for IT on network and a different one for VPN…helps with auditing and tracking.
Typically, there should also be a management subnet/vlan which the management interface of the FW would be on.
Create a separate portal for yourself. Create a separate subnet for IT SSL-VPN. Create firewall rules to serve the following.
For the security issue, I recommend that in the ssl VPN configuration you should enable the host checker, disable web mode, change to a secure port.