TCP connection is allowed, and login screen is displayed, to every IP that matches at least a single admin's trusthost configuration (if one admin has no trusthost setting, then ALL source-IPs are permitted)
Once the unknown user attempts to log in, the login request will be permitted or denied based on the username provided and trusthost evaluation for the matching admin account.
In your case: - login screen will be reachable to everyone
- admin1 + admin2 can log in from anywhere
- admin3 will be blocked from logging in unless coming from their trusthost IPs
Lastly, note that you can override trushosts with local-in policy. If a local-in policy says "DENY" for a given source-IP, the traffic will be blocked, regardless of any trusthost configuration.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.