Description
This article explains the difference between Local-in-policy and Trusted hosts.
Scope
Any supported version of FortiGate.
Solution
Local-in-policy:
Local-in-policies to restrict administrative access(HTTPS, PING, SSH, and others) in the interface level. It is necessary to define the source IP, destination IP, interface to which it should be applicable, and the service in the policy. Network traffic that satisfies the condition mentioned is either allowed or denied depending on the configuration.
It is possible to define a local-in-policy to restrict access based on geographical location as well.
Note: By default, no local-in-policy is defined.
Configuration in the CLI:
Local-in-policy is not configurable from the GUI. Once configured from CLI, verify it in the GUI by enabling it under System -> Feature Visibility under the Additional Features section.
Trusted hosts:
Unlike a local-in-policy that allows administrative access based on the interface, IP and service configured in the policy; trusted hosts are configured to permit access based on the admin user and the IP allocated to the admin user as a trusted host.
A single IP or subnet is added under the trusted host config of the admin user configuration. If an incoming connection attempt comes from a source-IP that does not match anything in this pool, the connection is dropped. Up to 10 trusted host IP addresses can be added.
When the source-IP of a connection attempt matches the trusted host of any admin, TCP/TLS is allowed and the FortiGate Login screen appears. Once the credentials are entered, the source IP is checked against the trusted hosts configured for that user and access is allowed if applicable. If the user or the trusted host mismatches, access is denied.
Trusted host GUI configuration:
