雖然FortiGate在帳號那邊就可以限制來源IP,但是如果想要限制Public IP存取暴露在網路上的FortiGate管理IP就要用其他作法,這邊是參考這篇文章來實現此功能。
步驟一:新增自訂Address
Go to Policy & Objects -> Addresses, select Create New -> Address.
這邊就先新增自訂的Address,比如你的辦公室IP或是家中IP與FortiGate的Public IP。
步驟二:新增local-in-policy
新增Local-in-policy,如下主要有兩段,第一段是允許的規則,第二段是禁止的規則。
FW01 (local-in-policy) # show
config firewall local-in-policy
edit 1
set intf "port1" #FortiGate綁定外網的Port
set srcaddr "PenMobile_101.136.30.82"
set dstaddr "FortiGate_Public_IP"
set action accept
set service "SSH" "HTTPS"
set schedule "always"
next
edit 2
set intf "port1"
set srcaddr "all"
set dstaddr "FortiGate_Public_IP"
set service "SSH" "HTTPS"
set schedule "always"
next
end設定完成後,除了PenMobile這組IP可以連到FortiGate管理IP外,其他IP都不行。
沒有留言:
張貼留言