Technical Tip: Restrict Local Admin Accounts to console only
| Description | This article describes a way to configure local administrators accounts that can only be accessed by using the console port. |
| Scope | FortiGate. |
| Solution | Create a local administrator account using the following:
config system admin edit "Console_admin" set trusthost1 0.0.0.0 255.255.255.255 set accprofile "super_admin" set vdom "root" set password <set_password> next end
Setting the trusted host to a 0.0.0.0/32 will mean a single IP, 0.0.0.0 which cannot exist on a host.
Accessing the FortiGate using a console connection:
Accessing the FortiGate without a console connection will be blocked:
date=2025-02-20 time=11:50:10 eventtime=1740070210821887210 tz="-0500" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="Console_admin" ui="https(10.10.10.2)" method="https" srcip=10.10.10.2 dstip=10.10.10.1 action="login" status="failed" reason="ip_blocked" msg="Administrator Console_admin login failed from https(10.10.10.2) because of blocked IP"
Related articles: Technical Tip: Restrict local admin authentication when remote authentication server is running. |
