|
To check the GUI or CLI access issues:
- Gain console access to the FortiGate and check the management IP address (that is trying to be accessed) and make sure the correct IP address is used.
show system interface
- Run the below command to check the port numbers configured for HTTP, HTTPS, SSH, and Telnet access respectively, and make sure the correct one is used:
config system global
show full-configuration | grep 'set admin-\(port\|sport\|ssh-port\|telnet-port\)'
set admin-port 80
set admin-sport 443
set admin-ssh-port 22
set admin-telnet-port 23
Check if the above administrative accesses are enabled at the interface level:
show system interface
config system interface
edit "mgmt1"
set allowaccess ping https ssh http <-- telnet does not need to be enabled unless needed for testing purposes
- Run the below command to check if the source IP address is part of the trusted host configuration if any is configured:
show system admin
Note:
Check if the user IP address is getting S-NAT before reaching FortiGate. If yes, make sure that the IP address is part of the trusted host list.
- Run the below commands to check if the source IP address is allowed in the local-in policy if configured:
show firewall local-in-policy
- Take the debug flow and packet sniffer if the issue still exists, to check for errors:
diagnose debug reset
diagnose debug app httpsd -1
diagnose debug flow filter addr <Fortigate's mgmt IP address>
ddiagnose iag debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable
diagnose debug disable <----- To stop the debug flow.
diagnose sniffer packet any "host <Fortigate's mgmt IP address>" 6 0 l <----- Press Ctrl+C to stop the capture.
- Collect the Chrome debugger as mentioned in Technical Tip: Fortinet Support Tool - Google Chrome Extension for troubleshooting GUI issues
- Restart the httpsd daemon using fnsysctl killall -11 httpsd.
- Try changing the Admin access port to a custom port to avoid any port conflict with the default port 443.
|
