Description
This article describes the meaning of the untrusted host/domain name error and how to resolve it.
Scope
FortiAuthenticator.
Solution
- By default, FortiAuthenticator only allows web GUI access using the IP address that is assigned to the FortiAuthenticator interfaces.
- If the FortiAuthenticator is accessed via public IP or via port forwarding through a firewall (eg. Fortigate), notice the error as shown below.

- To resolve the issue, it is necessary to configure the following in FortiAuthenticator CLI through SSH/console:
config system global
set allowed-hosts 10.47.1.59
end
set allowed-hosts 10.47.1.59
end
- After configuring the above, access to FortiAuthenticator will now be allowed.

- If the FortiAuthenticator is accessed through domain name which is not configured as a FQDN under FortiAuthenticator, it is also necessary to configure the domain name under CLI to allow web access via domain name:
config system global
set allowed-hosts fac.ftnt.local
end

- To allow all hosts/domain names, configure the following in FortiAuthenticator CLI through SSH/console:
config system global
set allowed-hosts *
end
Note:
Allowed hosts do not mean trust hosts. FortiAuthenticator looks at the incoming HTTP/HTTPS header of the request and verifies if the host destination delivers GUI access. If the objective is restricting GUI access by source IP.
Related article:
Technical Tip: How to configure trusted host for GUI and SSH access on FortiAuthenticator
Labels: