|
To configure the trusted host for Local Administrators, Configured local administrators are located under Authentication -> Local Users.
- Edit the Admin Local user.
- Under 'User Role', Enable 'Restrict admin login from trusted management subnets only'.
- Set the IP address/Mask.
- Make sure to enable 'Restrict GUI'. This restriction also applies to SSH access.
FortiAuthenticator resquires entering the password to apply the changes:
Once configured, any IP address that is not configured as a trusted host will not be able to authenticate for that local admin user for admin access under Logging -> Log Access -> Logs.
If the IP address is forgotten in the future and this is the only Admin account, it is possible to restore the admin access by using the following CLI command:
exec restore-admin <password>
In order to proceed, please enter *your* password:
Trusted management subnets of administrator "admin" have been cleared.
No need to restore administrator access to Port 1.
Default administrator account "admin" has been restored:
Password is set to supplied password, admin has a full permission, and any trusted management subnet restriction is removed.
Note: If allowed hosts need to be Set or Unset via the CLI (via SSH), the syntax should be as follows:
Note: if there is a list of IPs in the allowed hosts, it should be Unset one by one as displayed in the screenshot above.
Related documents:
|
