Description
This article describes how to configure Administrator access to a FortiGate unit using Trusted Hosts.
Scope
FortiGate.
Solution
It is possible to define Trusted Hosts by going to System -> Administrators.
A user of 'admin is included as a default with a Trusted Host of 0.0.0.0/0.0.0.0. When selecting Edit, the Trusted Host #1, Trusted Host #2, and Trusted Host #3 entries are blank. This allows all IP addresses to connect with the 'admin' account.
As of FortiOS v2.8 MR9, a blank Trusted Host (#1 and #2) entry is set to 0.0.0.0/0.0.0.0, and Trusted Host #3 is set to 127.0.0.1/255.255.255.255.
The 127.0.0.1/255.255.255.255 entry is required to allow access to the Web GUI console, should any restrictive entries be added to position #1 and #2.
The first configured Trusted Host entry must be entered in position #1.
Examples.
- No Trusted Hosts configured (default).
Trusted Host #1: 0.0.0.0/0.0.0.0.0.
Trusted Host #2: 0.0.0.0/0.0.0.0.0.
Trusted Host #3: 127.0.0.1/255.255.255.255.
Any host can connect. Trusted Host #1 contains 0.0.0.0/0.0.0.0.0. All hosts (web-based manager console included) will be able to connect to the FortiGate unit.
-
One Trusted Host entry is configured in position #2.
Trusted Host #1: 0.0.0.0/0.0.0.0.0.
Trusted Host #2: 10.100.0.0/255.255.255.0.
Trusted Host #3: 127.0.0.1/255.255.255.255.
Here Trusted Host #1 contains 0.0.0.0/0.0.0.0.0 and Trusted Host #2 a subnet value. The first entry will override the second and all hosts (Web -based console included) will be able to connect to the FortiGate unit. This example is essentially the same as example 1. This is a configuration mistake.
- Only one host is allowed to connect.
Trusted Host #1: 10.100.0.3/255.255.255.255.
Trusted Host #2: 0.0.0.0/0.0.0.0.0.
Trusted Host #3: 255.255.255.255 255.255.255.255.
Here Trusted Host #1 contains a host value, and Trusted Host #2 contains 0.0.0.0/0.0.0.0. The first entry will override the second and only the 10.100.0.3/32 host will be able to connect to the FortiGate unit. The web-based console will not be able to connect to the FortiGate since the Trusted Host #3 is explicitly denied. This example also shows that having a 0.0.0.0/0.0.0.0.0 entry for Trusted Host #2 is not relevant and will not open access to all hosts.
- One subnet and the web-based console allowed connection.
Trusted Host #1: 10.100.0.0/255.255.255.0.
Trusted Host #2: 0.0.0.0/0.0.0.0.0.
Trusted Host #3: 127.0.0.1/255.255.255.255.
This scenario is nearly the same as case 3. The only difference is that the web-based console will be able to connect to the FortiGate unit.
- Two subnets and the web-based console allowed connection.
Trusted Host #1: 10.100.0.0/255.255.255.0.
Trusted Host #2: 172.31.224.0/255.255.255.0.
Trusted Host #3: 127.0.0.1/255.255.255.255.
-
Two entire subnets and one specific host are allowed to connect.
Trusted Host #1: 10.100.0.0/255.255.255.0.
Trusted Host #2: 172.31.224.0/255.255.255.0.
Trusted Host #3: 192.168.182.34/255.255.255.255.
Here, the web-based console access is denied, as it is not included in the list.
Related article:
Troubleshooting Tip: Cannot access the FortiGate web admin interface (GUI)
