To configure the trusted host for Local Administrators, Configured local administrators are located under Authentication -> Local Users.

• Edit the Admin Local user.
• Under 'User Role', Enable 'Restrict admin login from trusted management subnets only'.
• Set the IP address/Mask.
• Make sure to enable 'Restrict GUI'. This restriction also applies to SSH access.

FortiAuthenticator resquires entering the password to apply the changes:

Once configured, any IP address that is not configured as a trusted host will not be able to authenticate for that local admin user for admin access under Logging -> Log Access -> Logs.

If the IP address is forgotten in the future and this is the only Admin account, it is possible to restore the admin access by using the following CLI command:

exec  restore-admin <password>

In order to proceed, please enter *your* password:
Trusted management subnets of administrator "admin" have been cleared.
No need to restore administrator access to Port 1.
Default administrator account "admin" has been restored:
Password is set to supplied password, admin has a full permission, and any trusted management subnet restriction is removed.

Note:

If allowed, hosts need to be Set or Unset via the CLI (via SSH), the syntax should be as follows:

Note:

If there is a list of IPs in the allowed hosts, it should be Unset one by one as displayed in the screenshot above.

Related documents:

User management

Technical Tip: How to Reset the Admin Password for FortiAuthenticator