|
FortiAuthenticator local administrators are located under Authentication -> Local Users and have the 'Administrator' User Role.
To configure a trusted host for a Local Administrator:
- Edit the Local user.
- Under 'User Role', enable 'Restrict admin login from trusted management subnets only'.
- Set the IP address/Mask.
- Make sure to enable 'Restrict GUI'. This restriction also applies to SSH access.
FortiAuthenticator requires entering the current administrator's password to apply the changes:
Once configured, any IP address that is not configured as a trusted host will not be able to authenticate for that local admin user for admin access under Logging -> Log Access -> Logs.
It is possible to remove the trusted subnet configuration of the built-in administrator using the following CLI command from the serial console:
execute restore-admin <new password>
In order to proceed, please enter *your* password:
Trusted management subnets of administrator "admin" have been cleared.
No need to restore administrator access to Port 1.
Default administrator account "admin" has been restored:
Password is set to supplied password, admin has a full permission, and any trusted management subnet restriction is removed.
Note:
It is not possible to apply trusted subnets from the CLI. The 'allowed-hosts' setting does not refer to trusted subnets; see Technical Tip: FortiAuthenticator untrusted host/domain name error when accessing GUI.
Related documents:
User management
Technical Tip: How to Reset the Admin Password for FortiAuthenticator
Technical Tip: How to fix untrusted host name
|
