Description | This article describes some basic behavior and requirements for accessing the FortiGate's administrative interface from different interfaces and subnets. |
Scope | FortiGate. |
Solution |
Generally, Fortinet documentation assumes that an administrator is attempting to access the FortiGate using an IP address that belongs to the same subnet that the administrator is located on (for example, connecting a laptop to the FortiGate's internal ports and going to https://192.168.1.99 as part of the first-time setup).
However, it is very common to administratively access the FortiGate using an IP address/interface that is different from the subnet/interface that an administrator is located on. Examples include:
In these cases, a Firewall Policy must be added to allow access from the Source interface/subnet to the Destination interface/address. Even though the traffic does not physically leave the FortiGate, the FortiGate recognizes that traffic is ingressing on one interface and egressing towards the address of a different interface, and so Firewall Policies must be added to allow that logical flow of traffic.
Note also that this is a Firewall Policy and not a Local-In policy. Local-In policies are generally used when governing incoming access to the FortiGate itself (i.e. traffic to the FortiGate, not traffic through the FortiGate), but a Firewall Policy is needed in this case to address the 'through' aspect of this admin access. More information regarding Local-In policies can be found in the FortiGate Administration Guide: Local-in policy.
For example, consider an administrator connected to FortiGate's port1 interface that wants to connect to Web GUI (HTTPS) via the port2 interface address. Since this administrator must go through port1 to reach port2's address, a Firewall Policy like the following would be required:
config firewall policy edit <id> set name 'Allow Admin Access from port1 to port2' set srcintf 'port1' set dstintf 'port2' set action accept set srcaddr 'all' set dstaddr 'all' set schedule 'always' set service 'HTTPS' end
Additional Reading: The above information is a basic primer for new FortiGate administrators. For further learning, check out the following documentation which discusses the topic in greater depth.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.