This article will explain options for restricting admin access to the FortiGate VM deployed on Azure. Restricting admin access to the FortiGate-VM deployed on Azure has the same options as a FortiGate on-Prem.
FortiGate-VM deployed on Azure will be more likely to be accessed on the external interface of the FortiGate-VM by an Administrator, but some user setup may require not allowing the FortiGate admin login page to be accessed publicly.
Scope
FortiGate-VM on Azure.
Solution
To Restrict HTTPS/GUI access, Possible options are:
- Configuring a trusted host (For HTTPS/GUI access, It may still show the FortiGate admin login page).
- Configuring Local-in Policy (Traffic will hit the FortiGate-VM’s NIC but the configured policy can block specific Sources accessing the FortiGate for admin access. This will not show the FortiGate HTTPS admin login page).
- Another option for FortiGate-VM deployed on Azure is configuring the Network Security Group rule applied on the NIC of the VM. (Using this option, Traffic will not reach the FortiGate-VM’s interface. This will also not show the FortiGate admin login page).
Rearrange the order of the NSG rule just like how the Firewall Policy on FortiGate works.
For this example, The first rule is set to deny HTTPS Inbound to the FortiGate. Any source from the Public Internet will not have access and will not see the FortiGate admin login page. The second rule will still allow other admin access such as SSH, Telnet, etc.
It is possible also to be more specific according to the requirements.