We've been managing our FGTs with FMG for a while, and we've been trying to figure out how to restrict access to the FMG. We are using SAML SSO, so trusted hosts option isn't available - at least, it doesn't appear that logins for SSO can be restricted to trusted hosts. I also don't see an option for implementing local-in-policy. Even though all our FGTs are controlled by these controls, our FMG isn't - anyone in our organization can attempt to login, though we do have logins restricted to a particular group. Especially in light of the critical FMG vulnerability last year, this seems like a serious oversight if it can't be done - hence, I believe it can, but we just can't find the right area to configure.
How are you folks approaching limiting access to which hosts can log into the FMG?
I usually control who can access what, on FMG and FAZ with firewall rules on the FGT in front of them.
For FAC I use 2 nics, one for WAN where I enable FortiToken and one for LAN for management.
I was hoping this wasn't the best option, but I guess that isn't the case. We just replaced our Cisco firewalls with FGTs, and a guy on the team jokingly suggested this morning of putting one of the Firepowers in front of the FMG. I am surprised that access to the FMG isn't more robust.
Well, it's best practice to have one or more firewall in front of any public facing applications/servers and not exposed them directly... you can put any kind/vendor of firewall in front of it.
Local-in policies exist on FMG (7.2.0 & later) as well. 
For an example, see: PSIRT | FortiGuard Labs
If you are looking to restrict access specifically for the FGFM protocol, consider enabling "fgfm-deny-unknown" to restrict registration/connection attempts only to know FortiGates.
This is only part of the problem, so this is great to know. We're wanting to also restrict administrator access to only a handful of subnets.
Separating admin access and use another interface/port dedicated for it is recommended.
Toshi
We don't allow any management interface directly from the Internet, and we generally don't even allow management access from our entire internal network. Our machines are assigned to subnets when we log into VDI, so we're trying to restrict access to only those subnets. Admin and data access are separated.
upgrade the FMG to 7.2 when all managed FGTs are upgraded to at least 7.0, then use a local-in-policy then.
Toshi
As for admin users of type SSO, the trusted host configuration should be configured on the IDP server.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.