Fortinet black logo

Handbook

Configuring administrative access to interfaces

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:909236
Download PDF

Configuring administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces, especially public-facing ports, that you don’t want them to access.

As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure protocols for administrative access to interfaces - GUI
  1. Go to Network > Interfaces.
  2. Select the interface that you want to configure administrative access for and select Edit.
  3. In the Administrative Access section, select the protocols that you want to allow an administrator to use to access the FortiGate.
  4. Select OK.
To configure protocols for administrative access to interfaces - CLI

config system interface

edit <interface_name>

set allowaccess {ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm}

next

end

where you can set the following protocols:

CLI option

Description

ping

PING access

https

HTTPS access

ssh

SSH access

snmp

SNMP access

http

HTTP access

telnet

TELNET access

fgfm

FortiManager access

radius-acct

RADIUS accounting access

probe-response

Probe access

For more information, see Using server probes on interfaces.

capwap

CAPWAP access

ftm

FortiToken Mobile Push access

When you add or remove a protocol, you must type the entire list of protocols again. For example, if the administrative access list is set to HTTPS and SSH and you want to add PING, you must type set allowaccess https ssh ping. If you type set allowaccess ping, only ping is added and HTTPS and SSH are removed.

Configuring administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces, especially public-facing ports, that you don’t want them to access.

As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure protocols for administrative access to interfaces - GUI
  1. Go to Network > Interfaces.
  2. Select the interface that you want to configure administrative access for and select Edit.
  3. In the Administrative Access section, select the protocols that you want to allow an administrator to use to access the FortiGate.
  4. Select OK.
To configure protocols for administrative access to interfaces - CLI

config system interface

edit <interface_name>

set allowaccess {ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm}

next

end

where you can set the following protocols:

CLI option

Description

ping

PING access

https

HTTPS access

ssh

SSH access

snmp

SNMP access

http

HTTP access

telnet

TELNET access

fgfm

FortiManager access

radius-acct

RADIUS accounting access

probe-response

Probe access

For more information, see Using server probes on interfaces.

capwap

CAPWAP access

ftm

FortiToken Mobile Push access

When you add or remove a protocol, you must type the entire list of protocols again. For example, if the administrative access list is set to HTTPS and SSH and you want to add PING, you must type set allowaccess https ssh ping. If you type set allowaccess ping, only ping is added and HTTPS and SSH are removed.