Is there a way to restrict access for specific administrators by interface or IP address? I really thought I'd seen this somewhere, but now I cannot find it in GUI or docs. Quick explanation of what we want to do. We want to have a sort of backdoor, emergency access to the firewalls directly from the Internet. That is, should some catastrophic network event (big misconfiguration or failure of the firewalls themselves, the core network, or remote access devices) break our usual ability to log in via remote access VPN and come into the firewalls' management interfaces, we want to be able to connect directly into the firewalls from the Internet. These firewalls are in a data center, so it's at least a half-hour car ride even during business hours, plus we want our off-site managed services provider to also have this ability. Usually, we use AD-backed authentication for administrators on the internal network. However, in the event of a failure, the AD servers may not be reachable, plus from a security point of view, using simple username-password authentication does not seem secure enough to face the Internet, even with source IP address restrictions. We would want to have a more secure local authentication method. Luckily, using public-key-based authentication (SSH keys and HTTPS client certs) are both options for local administrator authentication. So, those local accounts would seem to work out fine, but how do we block regular AD-based authentication from the Internet and allow it for the special local accounts?
... View more