If the trusted host on the admin or other system admin profile is configured, but any unknown internet host tries to access the Public IP configured on the WAN interface, the unknown host is not able to access the firewall, but the login page will still display for that host.

Make sure the configuration already has HTTPS enabled on the external/WAN interface and has been configured with the trusted host for the respective system admin profile as follows:

config system interface

    edit "wan1"

        set vdom "root"
        set ip 10.5.21.122 255.255.240.0
        set allowaccess https ssh

    next

end

config system admin

    edit "admin"

        set trusthost1 172.26.137.25 255.255.255.255
        set accprofile "super_admin"
        set vdom "root"

    next

end

Via GUI:

Log in to the firewall only from a trusted host. However, any unknown host can make an attempt to log in, and the login page of the firewall will still appear for that unknown host.

Create local-in-policy to prevent the firewall login page from appearing for the unknown host. 

There are 2 options to configure the local-in policy:

1. Configure 2 local-in policies: The first local-in policy is to allow trusted IP addresses. The second rule is to deny all other IPs not part of the trusted IPs.

config firewall local-in-policy

    edit 1

        set intf "wan1"
        set srcaddr "Trusted_Host_IP" <----- The same IP as the system admin's trusted host IP or pool.
        set dstaddr "Wan-IP" login <----- WAN or external interface IP.
        set action accept
        set service "HTTPS"
        set schedule "always"

    next

            edit 2

        set intf "wan1"
        set srcaddr "all" 
        set dstaddr "Wan-IP" login <----- WAN or external interface IP.
        set action deny
        set service "HTTPS"
        set schedule "always"

end

A login page will only be for trusted hosts. If other unknown hosts try to attempt to access the firewall, the login page will not upload or display.

2. Configure a single local-in policy using 'srcaddr-negate enable' option. This will only allow IPs on the Trusted_Host_IP and will deny other IPs not part of the trusted IPs.

config firewall local-in-policy

    edit 0

        set intf "wan1"
        set srcaddr "Trusted_Host_IP" <----- The same IP as the system admin's trusted host IP or pool.

   set srcaddr-negate enable <----- This will apply to all source addresses that are NOT in the specified source object or group

        set dstaddr "Wan-IP" login <----- WAN or external interface IP.
        set action deny
        set service "HTTPS"
        set schedule "always"

end

Note:

Starting from v7.6.0, the Local-in-Policy can now also be configured in the GUI. Refer to this article: Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI

Note:

This article's steps are valid when the trusted host is specified for all admin accounts in the FortiGate. For example, if the trusted host is only specified in Admin 1 and not in Admin 2, the login page will be displayed, but only Admin 1 will be able to log in.