This article describes how to configure trusted hosts to restrict access to FortiAuthenticator GUI access.
Scope
FortiAuthenticator.
Solution
Step 1: To configure the trusted host for Local Administrators, Configured local administrators are located under Authentication > Local Users.
Step 2: Edit the Admin Local user.
Step 3: Under ‘User Role’, Enable ‘Restrict admin login from trusted management subnets only’.
Step 4: Set the IP address/Mask.
Step 5: Make sure to enable ‘Restrict GUI’.
Step 6: FortiAuthenticator will require to enter the password to apply the changes:
Step 7: Once configured, Any IP address that is not configured as a trusted host will not be able to authenticate for that local admin user for admin access under Logging > Log Access > Logs.
Step 8: In case the IP address is forgotten in the future and this is the only Admin account, It is possible to restore the admin access using the CLI:
exec restore-admin <password> In order to proceed, please enter *your* password: Trusted management subnets of administrator "admin" have been cleared. No need to restore administrator access to Port 1. Default administrator account "admin" has been restored: Password is set to supplied password, admin has a full permission, and any trusted management subnet restriction is removed.