Only allow administrative access to the external interface when needed
When possible, don’t allow administration access on the external interface and use internal access methods such as IPsec VPN or SSL VPN.
To disable administrative access on the external interface, go to System > Network > Interfaces, edit the external interface and disable HTTPS, PING, HTTP, SSH, and TELNET under Administrative Access.
This can also be done with CLI using following commands:
config system interface
edit <external_interface_name>
unset allowaccess
end
Please note that this will disable all services on the external interface including CAPWAP,
FMG-Access, SNMP, and FCT-Access.
If you need some of these services enabled on your external interface, for example CAPWAP
and FMG-Access to ensure connectivity between FortiGate unit and respectively FortiAP and
FortiManager, then you need to use following CLI command:
config system interface
edit <external_interface_name>
set allowaccess capwap fgfm
end