Restricting access to NG Firewall's admin GUI
There are two methods to restrict access to your NG Firewall's admin GUI login page.
Using Access Rules
Access Rules govern access to the NGFW itself. They are found by navigating to Config > Network > Advanced > Access Rules.
The rule "Allow HTTPS on WANs" (usually rule #2) determines whether the NGFW will respond to requests on port 443. This rule is disabled by default, disallowing external users from accessing the admin GUI login page.
You can enable the "Block" check-box if you like, but this is not necessary.
You can allow a specific external IP address(es) to access the GUI by creating a new access rule above the "Allow HTTPS on WANs" rule. Copy all the conditions from that rule, then add the condition
Source Address is to lock down access to only the specified IP address:
Note for bridged interfaces
A bridged interface takes on the characteristics of its parent, which includes the "is WAN" attribute. If your NGFW has its LAN interface(s) bridged to an WAN interface, disabling this rule may also prevent internal hosts from loading the GUI login page. You can circumvent this by creating a new Access Rule, placed above "Allow HTTPS on WANs", which specifies that traffic from a particular IP or subnet is allowed to access the NGFW on port 443:
Using Administration options
There are two options found in Config > Administration > Admin that can also restrict access to the admin GUI logon page.
Allow HTTP Administration determines whether the NGFW will load its admin GUI page on HTTP/port 80 connections. If this is disabled and a user attempts to reach
http://NGFW_IP_address, they will receive a message indicating that HTTP administration is disabled.
Restrict Administration Subnet(s) enables the admin to specify a subnet which is allowed to load the admin GUI. Traffic arriving from the listed subnet will reach the GUI login page; traffic arriving from any other subnet will receive only a message indicating that administration is disabled.
You can specify a single IP address if you like, using the CIDR notator
192.168.22.66/32 in this field will allow only 192.168.22.66 to the GUI login page. Any other IP address would be denied access.
Please sign in to leave a comment.