Technical Tip: FortiGate inside socket for Web CLI

tonylin1 · ‎08-04-2022

Description

This article describe what is local traffic used by Web CLI.

FortiGate inside socket for Web CLI port 8023.

Scope

FortiGate.

Solution

CLI command output:

diagnose sys tcpsock <- Shows FortiGate open a port 8023 and listened by 127.0.0.1 for process httpclid.

127.0.0.1:8023->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=41446 process=280/httpclid

When packet sniffer is processed on FortiGate and the Web CLI is tried to be controlled, it shows 127.0.0.2, trying to connect to 127.0.01:8023:

2022-08-04 17:19:05.862687 root out 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336133
2022-08-04 17:19:05.862685 root in 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336133
2022-08-04 17:19:05.891723 root out 127.0.0.2.5922 -> 127.0.0.1.8023: psh 1170130219 ack 157336133
2022-08-04 17:19:05.891715 root in 127.0.0.2.5922 -> 127.0.0.1.8023: psh 1170130219 ack 157336133
2022-08-04 17:19:05.891785 root out 127.0.0.1.8023 -> 127.0.0.2.5922: psh 157336133 ack 1170130220
2022-08-04 17:19:05.891779 root in 127.0.0.1.8023 -> 127.0.0.2.5922: psh 157336133 ack 1170130220
2022-08-04 17:19:05.930007 root out 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336134
2022-08-04 17:19:05.930003 root in 127.0.0.2.5922 -> 127.0.0.1.8023: ack 157336134

Therefore, the traffic 127.0.0.2:X -> 27.0.0.1:8023 in FortiGate is used by WebCLI.

Technical Tip: FortiGate inside socket for Web CLI

You are leaving our website