2.4.2 Ensure all the login accounts having specific trusted hosts enabled

Information

Configure an administrative account to be accessible only to someone who is using a trusted host. You can set a specific IP address for the trusted host or use a subnet.

Rationale:

Access to a firewall to perform administrative tasks should only come from specific network segments reserved for administrators only. This additional layer of security ensure that no one from anywhere else on the network able to login even with correct credentials.

Impact:

All access, from legitimate or illegitimate users, outside of allowed segment will be stopped. Thus, administrators working remotely will have to make sure that they have access to jump hosts that sit in the allowed segment.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remove a trusted host item from the list in CLI

FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # unset trusthost1
FG1 (test_admin) # end
FG1 #

To add a trusted host into the list in CLI

FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # set trusthost6 1.1.1.1 255.255.255.255
FG1 (test_admin) # end
FG1 #

Before adding an item, please make sure that it does not already exist. For example, if trusthost3 is already in the list, using it again will over-ride the existing host/network.
In the web GUI, go to System -> Administrators , select the account and click on edit. In the account setting page, make sure that 'Restrict login to trusted hosts' are enabled and all the allowed hosts / subnets are in the list of trusted Host. Please take note that certain versions of FortiOS will only show the first 3 trusted hosts in the list. If you want to see more, you have to click on the '+' sign as if you're adding a new item into the list. Keep clicking until you see an empty field of trusted host. That's when you know that you have reached the bottom of the list. To add another trusted host, fill in the empty field of the new 'Trusted Host'. To remove a trusted host, simply erase everything in the field of that corresponding host.

Default Value:

By default, each account is accessible from everywhere , the host value is 0.0.0.0/0

See Also

https://workbench.cisecurity.org/files/4077