Troubleshooting Tip: FortiGate HTTPS, SSH access if the trusted hosts feature is enabled

Vedaant · ‎01-16-2024

Description

In some cases, it is possible to reach the FortiGate via ping, but it is not possible to take SSH or Web access(GUI) access to the firewall. This article will describe how to troubleshoot this issue.

Scope

FortiGate.

Solution

The user is not able to take web and SSH access of the firewall. The user is unable to load web GUI access of FortiGate:

no web gui access.PNG

Check the public as well as private IP address of the system and run the debug flow on the FortiGate.
In this example, web access will be troubleshooted. The output of the debug flow will be checked.

policy drop new.PNG

The debug output shows when the user client (10.9.16.3) tries to access Web GUI access. msg=”iprope_in_check() check failed on policy 0, drop” is visible and the request for web access is denied.

This is because host 10.9.16.3 is not added as a trusted host on FortiGate.

To fix this issue, 10.9.16.3/32 will be configured as a trusted host

To configure a trusted host for the admin account:

Go to Administrator -> Administrator and select an administrator (Eg. Admin).
Similar to FortiGates, under the trusted hosts field, define the subnet and the subnet mask from which the admin will log in from.
Repeat this process for all the available admin accounts.

added trusted host GUI.PNG

Adding a trusted host using CLI:

added trusted host CLI.PNG

After adding a trusted host, again it is possible to try to take Web GUI access of FortiGate. This time, it is possible to access the web GUI of FortiGate successfully.

able to access web page.PNG