Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nprakash
Staff & Editor
Staff & Editor

Created on ‎03-28-2024 01:33 AM Edited on ‎12-11-2025 10:31 PM By Community Manager

Article Id 306932

Technical Tip: GUI Access (HTTPS) is lost after upgrading FortiOS to v7.4.1/v7.4.2/v7.4.3

Description

 

This article describes an issue reported in FOS versions 7.4.1 to 7.4.3, where the HTTPS GUI access is lost after an upgrade.

 

Scope

 

FortiOS v7.4.1 to v7.4.3.

 

Solution

 

The issue can be confirmed by collecting the following logs:

 

  1. Sniffer on FortiGate for port 443:

diagnose sniffer packet any " port 443 and host <src_ip>" 4 0 l 

 

A snippet is shown below to explain this behavior:

 

2024-02-22 16:47:52.268974 wan1 in 40.40.40.40.59275 -> 75.75.75.75.443: syn 4063577803
2024-02-22 16:47:52.269091 wan2 out 75.75.75.75.443 -> 40.40.40.40.59275: syn 3402131812 ack 4063577804


40.40.40.40 is the Source IP and 75.75.75.75 is the WAN1 IP Address.

Traffic is received on WAN1, but the reply is sent out via WAN2 with the IP address of WAN1 as the source.

 

  1. The routing table on FortiGate can reflect active routes via WAN1/WAN2 (ECMP/SDWAN) or active/standby routes - WAN1 (active) and WAN2 (standby).


get router info routing-table all
...
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 75.75.75.1, wan1, [1/0]
                    [1/0] via 85.85.85.2, wan2, [1/0]

 

Or:

 

get router info routing-table database
...
Routing table for VRF=0
S*> 0.0.0.0/0 [10/0] via 75.75.75.1, wan1, [1/0]  --> Active Route
                      [11/0] via 85.85.85.2, wan2, [1/0]

 

Workaround:

For a configuration with static routes on the same distance, change the distance priority of one of the WAN interfaces. Then access the WAN interfaces with a lower distance. This will work and may proceed with the upgrade via the GUI. 


This issue has been resolved in FortiOS v7.4.4 and is also added to the known issues section in the release notes of v7.4.1: Known issues.


Logs required by TAC to investigate:

 

diagnose sniffer packet any " port 443 and host <src_ip>" 4 0 l 
get router info routing-table all
get router info routing-table database
execute tac report
config file of the FortiGate


Workaround:

  1. Access the GUI using another interface that is not part of SD-WAN.
  2. In remote access, connect to a VPN and access the device locally.
  3. Using a console connection and upgrading using CLI. Refer to this document for more information: Upgrading individual devices.
1752
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.