Troubleshooting Tip to allow GUI (HTTPS) management after FortiOS upgrade
| Description | This article describes that the FortiGate GUI management has been configured over the secure port TCP/2443. However, any connections to GUI management are rejected by FortiGate with a TCP-RST Note: The GUI (HTTPS) management affects any secure port configured (by default TCP/443). |
| Scope | FortiGate 7.4.x and above. |
| Solution | config system global set admin-sport 2443 set admin-server-cert Cert_Https_TAC.cer end config system interface edit "port3" set ip 172.30.252.251 255.255.0.0 <--- set allowaccess ping https ssh http next end
FortiGate # diagnose sniffer packet any ' host 172.30.252.251 and port 2443 ' 6 0 l interfaces=[any] filters=[ host 172.30.252.251 and port 2443 ] 2025-07-18 10:30:10.170053 ssl.Teletrabajo in 172.26.129.69.50493 -> 172.30.252.251.2443: syn 499460273 2025-07-18 10:30:10.170193 mgmt2 out 172.26.129.69.50493 -> 172.30.252.251.2443: syn 499460273 2025-07-18 10:30:10.170210 port3 in 172.26.129.69.50493 -> 172.30.252.251.2443: syn 499460273 2025-07-18 10:30:10.170239 port3 out 172.30.252.251.2443 -> 172.26.129.69.50493: rst 0 ack 499460274
After changing the default certificate (admin-server-cert= Fortinet_Factory), the connection succeeds.
FortiGate # diagnose sniffer packet any ' host 172.30.252.251 and port 2443 ' 6 0 l interfaces=[any] filters=[ host 172.30.252.251 and port 2443 ] 2025-07-18 10:44:53.502189 ssl.Teletrabajo in 172.26.129.187.12896 -> 172.30.252.251.2443: syn 3846037187 2025-07-18 10:44:53.503596 mgmt2 out 172.26.129.187.12896 -> 172.30.252.251.2443: syn 3846037187 2025-07-18 10:44:53.503613 port3 in 172.26.129.187.12896 -> 172.30.252.251.2443: syn 3846037187 2025-07-18 10:44:53.503649 port3 out 172.30.252.251.2443 -> 172.26.129.187.12896: syn 793940012 ack 3846037188 2025-07-18 10:44:53.503684 mgmt2 in 172.30.252.251.2443 -> 172.26.129.187.12896: syn 793940012 ack 3846037188 2025-07-18 10:44:53.503734 ssl.Teletrabajo out 172.30.252.251.2443 -> 172.26.129.187.12896: syn 793940012 ack 3846037188 2025-07-18 10:44:53.511204 ssl.Teletrabajo in 172.26.129.187.12896 -> 172.30.252.251.2443: ack 793940013 2025-07-18 10:44:53.511231 mgmt2 out 172.26.129.187.12896 -> 172.30.252.251.2443: ack 793940013 2025-07-18 10:44:53.511248 port3 in 172.26.129.187.12896 -> 172.30.252.251.2443: ack 793940013 2025-07-18 10:44:53.518305 ssl.Teletrabajo in 172.26.129.187.12896 -> 172.30.252.251.2443: psh 3846037188 ack 793940013 2025-07-18 10:44:53.518496 mgmt2 out 172.26.129.187.12896 -> 172.30.252.251.2443: psh 3846037188 ack 793940013 2025-07-18 10:44:53.518517 port3 in 172.26.129.187.12896 -> 172.30.252.251.2443: psh 3846037188 ack 793940013
Note: This is expected as OpenSSL has been upgraded on FortiOS, and there are changes to the default security levels in OpenSSL 3.2.0. Modern browsers have deprecated and warned against 1024-bit RSA key certificates for a decade now, and the OpenSSL team has decided that it is time for them to discourage the use of these.
Downloads$ openssl x509 -in Cert_Https_TAC.cer -text -noout | grep "Public-Key" Public-Key: (1024 bit)
OpenSSL 3.2.0 changed the default security level to 2, which means that it requires a minimum RSA key of 2048 bits. Any certificates using an RSA key of less than 2048 bits are no longer supported: https://github.com/openssl/openssl/blob/master/CHANGES.md . The certificate must be re-created using a 2048-bit key.
Related article: |
