Technical Tip: How to take the SSH access of the other host from FortiGate device

nithincs · ‎07-18-2023

Description

This article describes how to use FortiGate as an SSH user to log in and access another host device.

Scope

FortiGate.

Solution

Login to the FortiGate CLI console or through Putty using SSH or Telnet.

Use the below command syntax to log in to FortiGate.

execute ssh <user@host> [port]

Example:

execute ssh admin@172.16.0.254

In case, the SSH server is using customer port number (2202), then, it is necessary to execute the command as shown below:

execute ssh admin@172.16.0.254 2202

By default, FortiGate will check the routing table for the SSH server IP and select the egress interfaces IP as a source IP to connect the server.

FGT # execute ssh admin@172.16.0.254
Warning: Permanently added '172.16.0.254' (ED25519) to the list of known hosts.
admin@172.16.0.254's password:

FGT # get router info routing-table details 172.16.0.254

Routing table for VRF=0
Routing entry for 172.16.0.0/24
Known via connected, distance 0, metric 0, best
* is directly connected, port1 <- SSH server subnet is reachable via port1.

FGT # show system interface port1 <-
config system interface
edit port1
set ip 172.16.0.1 255.255.255.0 <- Port1 IP.

next
end

FGT # diagnose sniffer packet any host 172.16.0.254 and port 22 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.0.254 and port 22]
2023-07-17 11:16:01.318695 port1 out 172.16.0.1.16277 -> 172.16.0.254.22: syn 875964100
2023-07-17 11:16:01.319510 port1 in 172.16.0.254.22 -> 172.16.0.1.16277: syn 1141527845 ack 875964101
2023-07-17 11:16:01.319525 port1 out 172.16.0.1.16277 -> 172.16.0.254.22: ack 1141527846

It is possible to set the source interface and source IP to force using a specific set option while initiating the communication.

FGT # execute ssh-options
interface Auto | <outgoing interface>.
reset <- Reset settings.
source Auto | <source interface IP>.
view-settings <-View the current settings for the SSH option.

If the SSH server IP is reachable via a logical interface like a tunnel, FortiGate uses the lowest index interface IP as the source.

This will cause an issue if the same IP is not part of the phase2 selector or is not routable in a remote peer network.

In this case, it is necessary to set the source IP in ssh-options to SSH to a remote server connected via tunnel. The solution is to set the source IP while doing SSH.

FGT # execute ssh-options source 10.0.0.1

FGT # execute ssh admin@10.172.0.254

FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 10.172.0.0/24 [10/0] via tunnel1 tunnel 172.16.0.254, [1/0]

ACTIVE # get vpn ipsec tunnel name tunnel1

gateway
name: 'tunnel1'
local-gateway: 172.16.0.1:0 (static)
remote-gateway: 172.16.0.254:0 (static)
.

.

.
selectors
name: 'tunnel1'
auto-negotiate: disable
mode: tunnel
src: 0:10.0.0.0/255.255.255.0:0 <-
dst: 0:10.172.0.0/255.255.255.0:0 <-

FGT # diagnose sniffer packet any "host 10.172.0.1" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.172.0.1]
2023-07-17 11:32:46.119074 tunnel1 out 10.0.0.1.23782 -> 10.172.0.1.22: syn 1941065859

Related article:
Technical Tip: 'Unable to negotiate with x.x.x.x: no matching cipher found'

Technical Tip: How to take the SSH access of the other host from FortiGate device

You are leaving our website