FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff
Article Id 369268
Description This article describes some basic behavior and requirements for accessing the FortiGate's administrative interface from different interfaces and subnets.
Scope FortiGate.
Solution

Generally, Fortinet documentation assumes that an administrator is attempting to access the FortiGate using an IP address that belongs to the same subnet that the administrator is located on (for example, connecting a laptop to the FortiGate's internal ports and going to https://192.168.1.99 as part of the first-time setup).

 

However, it is very common to administratively access the FortiGate using an IP address/interface that is different from the subnet/interface that an administrator is located on. Examples include:

 

  • Accessing the HTTPS Web GUI using FortiGate's LAN interface address while connected to a dial-up VPN tunnel.
  • Connecting to a management VLAN address via SSH while connected to the IT VLAN.
  • Accessing a loopback interface used for administrative management while connected to the corporate LAN.

 

In these cases, a Firewall Policy must be added to allow access from the Source interface/subnet to the Destination interface/address. Even though the traffic does not physically leave the FortiGate, the FortiGate recognizes that traffic is ingressing on one interface and egressing towards the address of a different interface, and so Firewall Policies must be added to allow that logical flow of traffic.

 

Note also that this is a Firewall Policy and not a Local-In policy. Local-In policies are generally used when governing incoming access to the FortiGate itself (i.e. traffic to the FortiGate, not traffic through the FortiGate), but a Firewall Policy is needed in this case to address the 'through' aspect of this admin access. More information regarding Local-In policies can be found in the FortiGate Administration Guide: Local-in policy.

 

For example, consider an administrator connected to FortiGate's port1 interface that wants to connect to Web GUI (HTTPS) via the port2 interface address. Since this administrator must go through port1 to reach port2's address, a Firewall Policy like the following would be required:

 

config firewall policy

    edit <id>

        set name 'Allow Admin Access from port1 to port2'

        set srcintf 'port1'

        set dstintf 'port2'

        set action accept

        set srcaddr 'all'

        set dstaddr 'all'

        set schedule 'always'

        set service 'HTTPS'

end

 

Additional Reading:

The above information is a basic primer for new FortiGate administrators. For further learning, check out the following documentation which discusses the topic in greater depth.