FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains the difference between Local-in-policy and Trusted hosts.
Any supported version of FortiGate.
Local-in-policies to restrict administrative access(HTTPS, PING, SSH, and others) in the interface level. It is necessary to define the source IP, destination IP, interface to which it should be applicable, and the service in the policy. Network traffic that satisfies the condition mentioned is either allowed or denied depending on the configuration.
It is possible to define a local-in-policy to restrict access based on geographical location as well.
Note: By default, no local-in-policy is defined.
Configuration in the CLI:
Local-in-policy is not configurable from the GUI. Once configured from CLI, verify it in the GUI by enabling it under System -> Feature Visibility under the Additional Features section.
Unlike a local-in-policy that allows administrative access based on the interface, IP and service configured in the policy; trusted hosts are configured to permit access based on the admin user and the IP allocated to the admin user as a trusted host.
A single IP or subnet is added under the trusted host config of the admin user configuration. If an incoming connection attempt comes from a source-IP that does not match anything in this pool, the connection is dropped. Up to 10 trusted host IP addresses can be added.
When the source-IP of a connection attempt matches the trusted host of any admin, TCP/TLS is allowed and the FortiGate Login screen appears. Once the credentials are entered, the source IP is checked against the trusted hosts configured for that user and access is allowed if applicable. If the user or the trusted host mismatches, access is denied.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.