Skip to main content
Raj_Pandey
Raj_Pandey
Explorer
October 17, 2025
Solved

admin-restrict-local enable with FMG integration issue

  • October 17, 2025
  • 3 replies
  • 962 views

Please advise — my penetration testing team is recommending that I enable admin-restrict-local on the FortiGate firewall. However, if I do that, local admin logins will be completely blocked whenever remote authentication servers are reachable. My concern is about integrating the FortiGate device with FortiManager (FMG), which sometimes requires local credentials. If FMG tries to connect to the device using local admin credentials over the network (via SSH or HTTPS), those logins could be denied because of this restriction. Since FortiManager (FMG) and other management tools rely on local admin credentials or API access over the network, enabling admin-restrict-local—especially in restrictive modes like non-console-only or all—could disrupt those connections. So, would it be correct to assume that enabling this setting in a production environment is not advisable?

Best answer by rosatechnocrat

Hi Raj,

 

Restricting the access using "admin-restrict-local" does not impact the connection from Fortimanager. Fortimanager will still be able to login and establish the connection. 

 

As a test you can perform the testing on a single Firewall and then can plan for enabling other firewalls across organization. 

3 replies

tbarua
Staff
tbarua
Staff
October 17, 2025

HI @Raj_Pandey,

You would like to know how restricting local admin authentication works when remote authentication server is running on FortiManager.
This can be done on the FortiGate via  CLI command. However, this feature is not supported on FortiManager.

You may restrict access with "Trusted hosts"The trusted hosts you define apply to both the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.
If you set trusted hosts and want to use the Console Access feature of the GUI, you must also set 127.0.0.1/255.255.255.255 as a trusted host.

Refer To:https://docs.fortinet.com/document/fortimanager/7.2.9/administration-guide/186508

 

    Raj_Pandey
    Raj_PandeyAuthor
    Explorer
    October 24, 2025

    HI Mate, i dont want to know  how restricting local admin authentication works when remote authentication server is running on FortiManager.

     

    My query is simple. - my penetration testing team is recommending that I enable admin-restrict-local on the FortiGate firewall. However, if I do that, local admin logins will be completely blocked whenever remote authentication servers are reachable.

    My concern is about integrating the FortiGate device with FortiManager (FMG), which sometimes requires local credentials(old method of inserting IP of FMG, username and password)    .FG into FMG.png

    If FMG tries to connect to the device using local admin credentials over the network (via SSH or HTTPS), those logins could be denied because of this restriction.

    Since FortiManager (FMG) and other management tools rely on local admin credentials or API access over the network, enabling admin-restrict-local—especially in restrictive modes like non-console-only or all—could disrupt those connections.

    So, would it be correct to assume that enabling this setting in a production environment is not advisable?

    rosatechnocrat
    rosatechnocratAnswer
    Explorer III
    October 19, 2025

    Hi Raj,

     

    Restricting the access using "admin-restrict-local" does not impact the connection from Fortimanager. Fortimanager will still be able to login and establish the connection. 

     

    As a test you can perform the testing on a single Firewall and then can plan for enabling other firewalls across organization. 

    Subscribe "ROSA Technocrat" on Youtube for Fortinet Videos and Troubleshooting https://www.youtube.com/@rosatechnocrat
    Raj_Pandey
    Raj_PandeyAuthor
    Explorer
    October 24, 2025

    i dont have any environment to perform this test, it would great if you can check in lab and let me know the output, it would be great, like your videos.

    rosatechnocrat
    rosatechnocrat
    Explorer III
    October 25, 2025

    http://youtube.com/post/UgkxpaTzbLRejrrpotxwBJj72njBw4zOFfV8?si=3HZieCt9JlomotLH

    Based on your query

    Subscribe "ROSA Technocrat" on Youtube for Fortinet Videos and Troubleshooting https://www.youtube.com/@rosatechnocrat
    kulanpu2
    kulanpu2
    New Member
    October 19, 2025

    What policy are you pushing exactly to the local-in interface? Is this the same interface you use for FMG management? You might be inadvertently blocking FMG traffic to the Fortigate, so it stops half-way through. FMG uses port TCP 541.

    Terms & ConditionsAccessibility statement