Trusted hosts are useful to restrict admin access to FortiGate. When only an IPv4 trusted host is configured, then access to FortiGate using IPv6 is not possible. With the trust host config below, access to FortiGate from any of the IPv6 addresses assigned is not possible:

config system admin
      edit "admin"
            set trusthost1 172.26.226.0 255.255.255.0
            set accprofile "super_admin"
            set vdom "root"
            set password ENC xxxxxxx
     next

end

With the configuration above, only hosts from IPv4 172.26.226.0/24 can access the FortiGate. Access from IPv6 will be restricted.

If access from an IPv6 host and network is needed, an IPv6 trust host can be added to the configuration above.

For example, if the IPv6 trusted host has the IPv6 address 2a00:9480:10:1::1:2, then follow the below config for the IPv6 trusted host:

config system admin
        edit "admin"
               set trusthost1 172.26.226.0 255.255.255.0
               set ip6-trusthost1 2a00:9480:10:1::1:2/64
               set accprofile "super_admin"
               set vdom "root"
               set password ENC xxxxxx
        next
end

FortiOS supports up to 10 IPv6 and IPv4 trusted hosts for every configured admin user. Output from diagnose sniffer, when the 2a00:9480:10:1::1:2 is not added to trusted hosts, FortiOS ignores the SSH packets:

diagnose sniffer packet any "host 2a00:9480:10:1::1:2" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 2a00:9480:10:1::1:2]
1.697720 port2 in 2a00:9480:10:1::1:2.42190 -> 2a00:9480:10:1::1:1.22: syn 1982322077 [class 0x10] [flowlabel 0xdb9d8]
2.713922 port2 in 2a00:9480:10:1::1:2.42190 -> 2a00:9480:10:1::1:1.22: syn 1982322077 [class 0x10] [flowlabel 0x59150]
3.737980 port2 in 2a00:9480:10:1::1:2.42190 -> 2a00:9480:10:1::1:1.22: syn 1982322077 [class