Created on
12-20-2013
04:05 AM
Edited on
02-19-2025
11:19 AM
By
Stephen_G
Description
This article describes some possible causes for non-working GUI access. In some cases, it is possible to reach the FortiGate unit through a Ping, Telnet, or SSH, yet not through the web admin GUI.
Scope
FortiGate.
Solution
Short list:
Details:
To initiate access, start by pinging the management IP address to verify that the FortiGate is actively listening on the specified management IP. This step helps isolate whether the FortiGate is operational and responsive, assuming that ping is enabled on the management port.
When the endpoint is unable to ping the FortiGate interface IP address, the next step is to determine if the endpoint is in the same broadcast domain using ipconfig /all. In some cases, the IP address must be assigned statically on the endpoint device if DHCP is not enabled on the FortiGate interface or when the endpoint is unable to connect to the internal DHCP server.
Connect to FortiGate via SSH through PuTTY as demonstrated below, ensuring that SSH is enabled on the management port:
If SSH access is unsuccessful, then use the following article to access the FortiGate via console cable and move on to next steps:
How to connect to the FortiGate and FortiAP console port
CLI commands:
config system interface
edit <interface name>
set allowaccess ping http https
end
diagnose sniffer packet any "host 10.1.1.10 and port 443" 4 0
port3 in 10.1.1.1.55826 -> 10.1.1.10.443: syn 3127611448
port3 in 10.1.1.1.55825 -> 10.1.1.10.443: syn 2440393440
Debug Flow: msg="iprope_in_check() check failed on policy 0, drop"
Check if trusted hosts are configured in all admin users, which is the case:
show sys admin
config system admin
edit "admin"
set trusthost1 10.1.7.0 255.255.255.0
set accprofile "super_admin"
...omit
next
end"
Add the source IP as a trusted host:
config system admin
(admin) # edit admin
(admin) # set trusthost2 10.1.1.0/24
(admin) # show
config system admin
edit "admin"
set trusthost1 10.1.7.0 255.255.255.0
set trusthost2 10.1.1.0 255.255.255.0
next
For example:
When a FortiGate network interface is connected to a network segment that supports such extended size packets.
For Telnet or SSH, packets typically remain of smaller size.
To then be able to use the web admin GUI, the fragmentation must be allowed at certain points in the network infrastructure (points, where a jumbo frame reaches a network segment that does not support it), or jumbo frames must be allowed along the whole communication path.
Note about Jumbo frames: jumbo frames are packets that are larger than the standard 1500 maximum transmission unit (MTU) size. Jumbo frames increase data transfer speeds by carrying more data per frame, reducing the overhead from headers.
All networks that carry jumbo frames must have network units that all support jumbo frames.
Otherwise, jumbo frames will be dropped, when they reach network devices that do not support them.
show full | grep admin-port
set admin-port 8080 <- The ports were changed from the default.
show full | grep admin-sport
set admin-sport 8443 <- The ports were changed from the default.
CLI Reference:
config system dns-server
edit "fortilink" <- It can be any FortiGate Interface where the user is trying to log in.
set doh disable <-
next
end
If the default ports have been changed, consider directly accessing the GUI using the specific port that is currently defined: http(s)://<address_of_appliance>:<custom port>.
For example: http://192.168.0.101:222 where 222 is the non-default port used to access GUI via HTTP.
If the ports need to be changed to a new value or the default value, use the following syntax for HTTP access:
config system global
set admin-port <integer>
end
5. The existing virtual IP is overriding admin HTTP or HTTPS ports.
When a Virtual IP (VIP) has the same IP address as the FortiGate interface and forwards the same ports used for HTTP/HTTPS access (example 80 or 443), the VIP will override the administrative access.
This should either be removed or changed such that it doesn’t overlap with FortiGate HTTP/HTTPS ports.
This can be verified by checking the VIP list on FortiGate (Policy & Objects -> Virtual IPs) or running the debug flow.
Troubleshooting: The sniffer will show the INBOUND request has been forwarded it to another IP
HUB01 # dia sniffer packet any "host 192.168.247.1 and port 443" 4 0 a
port2 in 192.168.247.1.57530 -> 192.168.247.20.443: syn 174545504
port4 out 192.168.247.1.57530 -> 10.255.255.11.443: syn 174545504 <- Same Source IP and Same Source Port.
A debug flow it will show the traffic is matching a VIP
diag debug reset
diag debug flow filter clear
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug flow filter saddr 192.168.247.1 <- Adjust to the source IP of the testing PC.
diagnose debug flow filter daddr 192.168.247.20 <- Adjust to the GUI FortiGate IP.
diagnose debug flow filter dport 443 <- Adjust the port if it is not the default port.
diag debug console timestamp enable
diag debug flow trace start 1
diag debug enable
Among all the lines it will receive on the DEBUG, the following will appear in the first lines:
msg="find DNAT: IP-10.255.255.11, port-0(fixed port)"
This indicates there is a VIP matching the request. Check the VIPs on the GUI under Policy & Objects -> Virtual IPs.
config firewall local-in-policy
show full
edit 1
set intf "wan1"
set srcaddr "all"
set srcaddr-negate disable
set dstaddr-negate disable
set action deny
set service "HTTPS"
set service-negate disable
set schedule ''
set status enable
set comments ''
next
end
By default, TLS 1.1 and TLS 1.2 are enabled when accessing the FortiGate GUI via a web browser.
To verify what version is enabled, run the following commands:
config system global
get | grep 'min-proto'
config global
config system global
get | grep 'min-proto'
To change this setting from the CLI:
config system global
set admin-https-ssl-versions (shift + ?) <- To list the available TLS version.
tlsv1-0 TLS 1.0.
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
set admin-https-ssl-versions tlsv1-2 <- With this setting, only TLS 1.2 is allowed.
end
From v6.4, tlsv1-0 is no longer supported and instead, tlsv1-3 was introduced:
config system global
set admin-https-ssl-versions
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
tlsv1-3 TLS 1.3.
end
The command is:
diag sniffer packet any 'port 8443' 4 0 a (replace the port if the web interface is reachable via a different port).
Filters, adding a host IP, if the connecting IP is known, can be added:
diag sniffer packet any 'host 192.168.48.2 and port 8443' 4 0 a
Example output:
FGT# diag sniffer packet any 'port 8443' 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[port 8443]
2024-08-28 16:36:30.527027 port1 in 192.168.48.2.56662 -> 10.191.19.1728443: syn 1919112407
2024-08-28 16:36:30.527238 port1 out 10.191.19.1728443 -> 192.168.48.2.56662: syn 3263049518 ack 1919112408
2024-08-28 16:36:30.527648 port1 in 192.168.48.2.56662 -> 10.191.19.1728443: ack 3263049519
Legacy (for versions 5.6 and above only).
admin-server-cert (for versions 5.6 and above only).
Enable the following debug and try to access the GUI again:
diagnose debug application httpsd -1
diagnose debug enable
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.