Skip to main content
piaakit
piaakit
New Member
February 20, 2026
Question

Site A can not GUI web console devices in Site B

  • February 20, 2026
  • 5 replies
  • 275 views

Dear All, 

 

               I have a site in hk with subnet 192.168.1.0/24 this site using fortigate 60E, and in hk site

i have a openvpn appliance access server running , and also one openvpn access server with ip 192.168.1.72, and also I have another site in china with subnet 192.168.12.0/24 and also using fortigate as a internet firewall, a site to site vpn built between hk and china, openvpn appliance access server created an user account and exported .ovpn and import to a window server as openvpn client and the window server with ip 192.168.12.90 also running rras with lan routing enabled, and in hk fortigate having static route 192.168.12.0/255.255.255.0 with gateway address 192.168.1.72, whenever traffic toward 192.168.12.0/24 its will route via 192.168.1.72 (the openvpn appliance access server), and in china, there is a esxi with ip 192.168.12.103 and fortigate 192.168.12.99, I found that I can ping and telnet 443 with esxi and fortigate in china but can not access via web console, but in china I can ping, telnet and access via web console  the esxi and fortigate firewall in china, any idea what goes wrong ? by the way, in china fortigate there is also static route 192.168.1.0/24 – gateway 192.168.1.90 (window server) and locally In china can web console these esxi and foritgate, by the way, hk fortigate is recently installed, before I was using centos as software router, and I could access web console from hk to china, since replaced with fortigate in hk its no longer work, do i need the following firewall policy ?  any help would be appreicated 

 

 

Via GUI:

  1. Go to Policy & Objects > Firewall Policy
  2. Create New Policy
  3. Incoming Interface: Your LAN interface (e.g., "internal" or "lan")
  4. Outgoing Interface: Same LAN interface (since traffic exits via the OpenVPN server on the same subnet)
  5. Source: Your HK subnet (192.168.1.0/24)
  6. Destination: China subnet (192.168.12.0/24)
  7. Schedule: Always
  8. Service: ALL
  9. Action: ACCEPT
  10. NAT: Disabled (uncheck "Enable NAT")

 

Keith 

5 replies

Stephen_G
Moderator
Stephen_G
Moderator
February 23, 2026

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

If anybody else has any info or advice, please feel free to contribute!

Regards,
Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
February 26, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Regards,

Stephen_G - Fortinet Community Team
piaakit
piaakitAuthor
New Member
February 27, 2026

I added the following firewall policy in HK fortigate, do i need to create the same in china foritgate ? 

 

Fortigate.jpg

Stephen_G
Moderator
Stephen_G
Moderator
March 2, 2026

Hello again piaakit,

I received the following information - please let me know if it helps any.

Potential Causes

  1. Firewall Policies: Ensure that the firewall policies on both FortiGates (HK and China) are correctly configured to allow traffic between the subnets.

  2. Routing Configuration: Verify that the static routes are correctly set up on both FortiGates to route traffic between the subnets.

  3. NAT Configuration: Ensure that NAT is disabled for the traffic between the HK and China subnets, as NAT can interfere with routing and access.

  4. OpenVPN Configuration: Check the OpenVPN server and client configurations to ensure they are correctly set up to route traffic between the subnets.

  5. Web Console Access: Ensure that the web console service is enabled and accessible on the ESXi and FortiGate devices in China.

Suggested Firewall Policy

Based on your description, the following firewall policy should be configured on the HK FortiGate:

  1. Incoming Interface: Your LAN interface (e.g., "internal" or "lan").
  2. Outgoing Interface: The same LAN interface (since traffic exits via the OpenVPN server on the same subnet).
  3. Source: HK subnet (192.168.1.0/24).
  4. Destination: China subnet (192.168.12.0/24).
  5. Schedule: Always.
  6. Service: All (or specify HTTP/HTTPS if you want to limit to web console access).
  7. Action: Accept.
  8. NAT: Disabled (uncheck "Enable NAT").

Additional Steps

  • Verify Connectivity: Use tools like ping and traceroute to verify connectivity between the HK and China subnets.
  • Check Logs: Review the FortiGate logs for any denied traffic or errors that might indicate the cause of the issue.
  • Test with Different Services: Try accessing other services on the ESXi and FortiGate devices to determine if the issue is specific to the web console.

Follow-ups and Clarification Questions

  1. Have you verified that the web console service is running and accessible locally on the ESXi and FortiGate devices in China?
  2. Are there any specific error messages or logs on the FortiGate or OpenVPN server that might indicate the issue?
  3. Have you tested the connectivity using other protocols or services to narrow down the issue to the web console?

If the problem persists, consider reaching out to Fortinet Technical Assistance for further investigation.

Stephen_G - Fortinet Community Team
piaakit1210
piaakit1210
New Member
March 29, 2026

Hi 

 

      From HK fortigate i can ping and traceroute the devces from china also telnet 443, but can not access the GUI from all china devices, before using foritgate in HK site (before was using software router (Centos), its working probably, but i could access GUI from china to HK devices, any idea ? Thanks

 

Keith 

Terms & ConditionsAccessibility statement