Technical Note: How to verify if FortiGate SSH access is enabled

serge_FTNT · ‎01-27-2017

Description

In FortiOS v5.2 and higher the internal SSH client can be used from the command line.

This allows the testing of the functionality of FortiGate SSH access to itself.

Solution

To use this this feature, type the following command from the serial console or from Telnet:

execute ssh <admin_username@FGT_IPaddress> <port>

In the above command, the SSH port number can be specified if it differs from default value (#22).

The listening/opened TCP port can be checked with the following command output:

diagnose sys tcpsock | grep -n 22 (if 22 is the listening port).

Output:

0.0.0.0:22->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

Global settings verification for admin port

FGT # get system global
admin-concurrent : enable
admin-console-timeout: 0
admin-port : 80
admin-sport : 443
admin-ssh-grace-time: 120
admin-ssh-port : 22
admin-telnet-port : 23

Example of a ‘self’ SSH access

Using remote Telnet or the ‘serial console’ (as below) to the FortiGate:

FGT # get system admin status
username: admin
login local: console <----- indicate from where the user is logged in
login device: N/A
login remote: :0
login vdom: root
login access profile: super_admin
login started: 2017-01-18 13:27:07
current time: 2017-01-18 13:27:19

Then perform a SSH access and log with another Admin username (with a prof_admin profile, if any):

FGT # execute ssh test@7.7.7.7
test@7.7.7.7's password:

Note that the ‘$’ prompt replaced the ‘#’ because ‘test’ user belongs to ‘prof_admin’ profile.

FGT $ get system admin status
username: test
login local: ssh
login device: internal:7.7.7.7:22
login remote: 7.7.7.7:1379
login vdom: root
login access profile: prof_admin
login started: 2017-01-18 13:21:48
current time: 2017-01-18 13:21:57

Technical Note: How to verify if FortiGate SSH access is enabled

You are leaving our website