FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
jstan
Staff
Staff
Article Id 189674

Description


This article describes the meaning of the untrusted host/domain name error and how to resolve it.

 

Scope

 

FortiAuthenticator.

Solution

 

  1. By default, FortiAuthenticator only allows web GUI access using the IP address that is assigned to the FortiAuthenticator interfaces.
  2. If the FortiAuthenticator is accessed via public IP or via port forwarding through a firewall (eg. Fortigate), notice the error as shown below.


 
 
  1. To resolve the issue, it is necessary  to configure the following in FortiAuthenticator CLI through SSH/console:
 
config system global
    set allowed-hosts 10.47.1.59
end
 
  1. After configuring the above, access to FortiAuthenticator will now be allowed.
 
 
  1. If the FortiAuthenticator is accessed through domain name which is not configured as a FQDN under FortiAuthenticator, it is also necessary to configure the domain name under CLI to allow web access via domain name:

 

config system global
    set allowed-hosts fac.ftnt.local
end


 
  1. To allow all hosts/domain names, configure the following in FortiAuthenticator CLI through SSH/console:

 

config system global
    set allowed-hosts *
end

 

Note:

Allowed hosts do not mean trust hosts. FortiAuthenticator looks at the incoming HTTP/HTTPS header of the request and verifies if the host destination delivers GUI access. If the objective is restricting GUI access by source IP. 

 

Related article:

Technical Tip: How to configure trusted host for GUI and SSH access on FortiAuthenticator