tonylin1
Staff
Staff

 

Description

This article describe what is local traffic used by Web CLI.

FortiGate inside socket for Web CLI port 8023.

Scope  
Solution

CLI command output:

 

diagnose sys tcpsock <----- Shows FortiGate open a port 8023 and listened by 127.0.0.1 for process httpclid.

 

127.0.0.1:8023->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=41446 process=280/httpclid

 

- When packet sniffer is processed on FortiGate and Web CLI is tried to be controlled, It is showing 172.0.0.2 trying to connect to 172.0.01:8023:

 

2022-08-04 17:19:05.862687 root out 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336133
2022-08-04 17:19:05.862685 root in 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336133
2022-08-04 17:19:05.891723 root out 127.0.0.2.5922 -> 127.0.0.1.8023: psh 1170130219 ack 157336133
2022-08-04 17:19:05.891715 root in 127.0.0.2.5922 -> 127.0.0.1.8023: psh 1170130219 ack 157336133
2022-08-04 17:19:05.891785 root out 127.0.0.1.8023 -> 127.0.0.2.5922: psh 157336133 ack 1170130220
2022-08-04 17:19:05.891779 root in 127.0.0.1.8023 -> 127.0.0.2.5922: psh 157336133 ack 1170130220
2022-08-04 17:19:05.930007 root out 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336134
2022-08-04 17:19:05.930003 root in 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336134

 

- Therefore the traffic 127.0.0.2:X -> 27.0.0.1:8023 in FortiGate is used by WebCLI.

 

Contributors