Configuring Administrator access to a FortiGate unit using Trusted Hosts

You can define Trusted Hosts by going to System>Admin>Administrators.

A user of “admin is included as a default with a Trusted Host of 0.0.0.0/0.0.0.0. When selecting Edit, the Trusted Host #1, Trusted Host #2 and Trusted Host #3 entries are blank. This allows all IP addresses to connect with the “admin” account.

As of FortiOS2.8 MR9, a blank Trusted Host (#1 and #2) entry is set to 0.0.0.0/0.0.0.0 and Trusted Host #3 is set to 127.0.0.1/255.255.255.255.

The 127.0.0.1/255.255.255.255 entry is required to allow access to the Web GUI console, should any restrictive entries be added to position #1 and #2.

The first configured Trusted Host entry must be entered in position #1.

Examples

1. No Trusted Hosts configured (default)

Trusted Host #1: 0.0.0.0/0.0.0.0.0
Trusted Host #2: 0.0.0.0/0.0.0.0.0
Trusted Host #3: 127.0.0.1/255.255.255.255

Any host can connect. Trusted Host #1 contains 0.0.0.0/0.0.0.0.0. All hosts (web-based manager console included) will be able to connect to the FortiGate unit.

2. One Trusted Host entry configured in position #2

Trusted Host #1: 0.0.0.0/0.0.0.0.0
Trusted Host #2: 10.100.0.0/255.255.255.0
Trusted Host #3: 127.0.0.1/255.255.255.255

Here Trusted Host #1 contains 0.0.0.0/0.0.0.0.0 and Trusted Host #2 a subnet value. The first entry will override the second and all hosts (Web -based console included) will be able to connect to the FortiGate unit. This example is essentially the same as example 1. This is a configuration mistake.

3. Only one host allowed to connect

Trusted Host #1: 10.100.0.3/255.255.255.255
Trusted Host #2: 0.0.0.0/0.0.0.0.0
Trusted Host #3: 255.255.255.255 255.255.255.255

Here Trusted Host #1 contains a host value, and Trusted Host #2 contains 0.0.0.0/0.0.0.0. The first entry will override the second and only the 10.100.0.3/32 host will be able to connect to the FortiGate unit. The web-based console will not be able to connect to the FortiGate since the Trusted Host #3 is explicitly denied. This example also shows that having a 0.0.0.0/0.0.0.0.0 entry for Trusted Host #2 is not relevant and will not open access to all hosts.

4. One subnet and the web-based console allowed to connect

Trusted Host #1: 10.100.0.0/255.255.255.0
Trusted Host #2: 0.0.0.0/0.0.0.0.0
Trusted Host #3: 127.0.0.1/255.255.255.255

This scenario is nearly the same as case 3. The only difference is that the web-based console will be able to connect to the FortiGate unit.

5. Two subnets and the web-based console allowed to connect

Trusted Host #1: 10.100.0.0/255.255.255.0
Trusted Host #2: 172.31.224.0/255.255.255.0
Trusted Host #3: 127.0.0.1/255.255.255.255

6. Two entire subnets and one specific host allowed to connect

Trusted Host #1: 10.100.0.0/255.255.255.0
Trusted Host #2: 172.31.224.0/255.255.255.0
Trusted Host #3: 192.168.182.34/255.255.255.255

Here, the web-based console access is denied, as it is not included in the list.