Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pbangari
Staff
Staff

Created on ‎07-17-2023 10:57 PM Edited on ‎01-11-2026 10:34 PM By Community Manager

Article Id 264598

Technical Tip: Initial troubleshooting for GUI or CLI access issue

Description This article describes the initial troubleshooting steps for a GUI or CLI access issue.
Scope FortiGate.
Solution

To check the GUI or CLI access issues:

  1. Gain console access to the FortiGate and check the management IP address (that is trying to be accessed) and make sure the correct IP address is used.

 

show system interface

 

  1. Run the below command to check the port numbers configured for HTTP, HTTPS, SSH, and Telnet access, respectively, and make sure the correct one is used:

     

config system global

show full-configuration | grep 'set admin-\(port\|sport\|ssh-port\|telnet-port\)'
    set admin-port 80
    set admin-sport 443
    set admin-ssh-port 22
    set admin-telnet-port 23

 

Recording-2024-09-25-122144.gif

 

Check if the above administrative accesses are enabled at the interface level:

 

show system interface
    config system interface
        edit "mgmt1"
            set allowaccess ping https ssh http <----- Telnet does not need to be enabled unless necessary for testing purposes.

 

  1. Run the below command to check if the source IP address is part of the trusted host configuration, if any is configured:

 

show system admin

 

Note:

Check if the user IP address is getting S-NAT before reaching FortiGate. If yes, make sure that the IP address is part of the trusted host list.

 

  1. Run the commands below to check if the source IP address is allowed in the local-in policy if configured:

 

show firewall local-in-policy

 

  1. Take the debug flow and packet sniffer if the issue still exists, to check for errors:

Debug:

 

execute console timestamp enable
diagnose debug reset
diagnose debug app httpsd -1 <-- For GUI access
diagnose debug app sshd -1 <-- For CLI access (SSH)
diagnose debug flow filter addr <Client_Source_IP>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable

 

Attempt to connect from the client.

 

diagnose debug disable
diagnose debug reset

 

Sniffer:

 

diagnose sniffer packet any "host <Client_Source_IP>" 6 0 a

 

Attempt to connect from the client. Press Ctrl+C to stop the capture.

 

  1. Collect the Chrome debugger as mentioned in Technical Tip: Fortinet Support Tool - Google Chrome Extension for troubleshooting GUI issues.

     

     

  2. Restart the httpsd daemon using fnsysctl killall -11 httpsd.

     

     

  3. Try changing the Admin access port to a custom port to avoid any port conflict with the default port 443.

     

 

config system global

    set admin-sport <port>

end

 

  1. If the firmware is 7.6.1 or above versions, check the IPSec tunnel IKE TCP port. 

     

 

show system settings | grep ike-tcp

 

Starting from v7.6.1, GUI access may conflict with the IPSec tunnel IKE TCP port for interfaces bound to an IPsec tunnel where the GUI admin port is also using port 443. See the document GUI access conflict with IPSec TCP tunnel on the same interface.
7778
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.