2.4.2 Ensure all the login accounts having specific trusted hosts enabled


Configure an administrative account to be accessible only to someone who is using a trusted host. You can set a specific IP address for the trusted host or use a subnet.


Access to a firewall to perform administrative tasks should only come from specific network segments reserved for administrators only. This additional layer of security ensures that no one from anywhere else on the network is able to log in, even with correct credentials.


All access outside of the allowed segment will be stopped, including from both legitimate and illegitimate users. Thus, administrators working remotely will have to make sure that they have access to jump hosts that sit in the allowed segment.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To remove a trusted host item from the list in CLI

FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # unset trusthost1
FG1 (test_admin) # end
FG1 #

To add a trusted host into the list in CLI

FG1 # config system admin
FG1 (admin) # edit 'test_admin'
FG1 (test_admin) # set trusthost6
FG1 (test_admin) # end
FG1 #

Before adding an item, please make sure that it does not already exist. For example, if trusthost3 is already in the list, using it again will override the existing host/network.
In the web GUI, go to

System -> Administrators, select the account and click on edit. In the account setting page, make sure that 'Restrict login to trusted hosts' is enabled and all the allowed hosts / subnets are in the list of trusted Host. Please take note that certain versions of FortiOS will only show the first 3 trusted hosts in the list. If you want to see more, you have to click on the '+' sign as if you're adding a new item into the list. Keep clicking until you see an empty field of trusted host. That's when you know that you have reached the bottom of the list. To add another trusted host, fill in the empty field of the new 'Trusted Host'. To remove a trusted host, simply erase everything in the field of that corresponding host.

Default Value:

By default, each account is accessible from everywhere. The host value is

See Also


Item Details


References: 800-53|AC-6(2), 800-53|AC-6(5), 800-53|AC-17(3), 800-53|SI-7, CSCv7|4.6, CSCv7|11.6, CSCv7|11.7

Plugin: FortiGate

Control ID: 8d6ae77539e2917f94a1a74db07f65132b8b47d453a692b8772d987408348cc4