Troubleshooting Tip: Resolving FortiManager/FortiAnalyzer logout issue while maintaining compliance
| Description | This article describes how to properly configure the admin-host to resolve the logout issue on FortiManager and FortiAnalyzer while maintaining vulnerability mitigation compliance. |
| Scope | FortiManager, FortiManager-VM, FortiAnalyzer, FortiAnalyzer-VM. |
| Solution | In some environments, selecting Logout in the FortiManager/FortiAnalyzer GUI does not log out the user and instead reloads the same dashboard page.
config system global end
By default, the admin-host is unset and shows as [null]. When configured, this value overrides the client Host header during redirection. If the value does not match the URL used to access the GUI, logout redirection fails, and the page reloads.
A temporary workaround is to unset the admin-host.
However, unsetting the admin-host value does not meet the security requirement introduced in PSIRT vulnerability advisory `Host` header injection (FG-IR-23-494), which requires the admin-host to be explicitly configured in order to disable host redirection for the administrative interface. Solution:
Example 1: Access via IP.
The GUI access URL is https://1.1.1.1. The admin-host should be 1.1.1.1.
config system global set admin-host 1.1.1.1 end
Example 2: Access via FQDN.
The GUI access URL is https://abcd.xyz.com. The admin-host should be abcd.xyz.com.
config system global set admin-host abcd.xyz.com end
Example 3: Access via hostname.
The GUI access URL is https://abcd. The admin-host should be abcd.
config system global set admin-host abcd end
Note: The Hostname and FQDN (e.g., abcd, abcd.xyz.com) must resolve successfully via DNS.
This configuration ensures:
The commands below can be used for further investigation and troubleshooting:
diagnose debug application gui 255 diagnose debug gui {enable | disable} diagnose debug {enable | disable} |