riteshpv
Staff
Staff
Description
This article describes how to access HTTPS of managed FortiSwitch by FortiGate.

Scope
For FortiSwitch managed by FortiGate.

Solution
Toplogy.





Consider above setup. Client can access FortiGate via WAN port IP 10.33.154.22 and FortiSwitch is managed by FortiGate and has IP 40.40.40.1.

1) Verify the IP of the FortiSwitch:




2) Connect to the FortiSwitch from FortiGate and verify if the internal Interface of FortiSwitch has HTTPS enabled:
FGT # execute ssh admin@40.40.40.1

FSW # show system interface internal


# config system interface
    edit "internal"
        set mode dhcp
        set allowaccess ping https ssh      <----- HTTPS enabled.
        set type physical
        set snmp-index 26
        set defaultgw enable
    next
end
3)  Create following Virtual IP policy for FortiSwitch:





Important note.
Port 4443 should not be used to access the FortiGate HTTPS.

4) Verify the FortiLink interface name.




5) Create firewall policy on FortiGate:
# config firewall policy
    edit 7
        set name "switchpolicy"
        set srcintf "wan"             <----- FortiGate port with IP 10.33.154.22.
.        set dstintf "fortilink"      <----- FortiLink interface name.
        set srcaddr "all"
        set dstaddr "switchaccesss”   <----- Virtual IP policy name.
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic disable
        set nat enable
    next
end
Important note.
It will not be possible to configure this firewall policy from FortiGate GUI as the FortiLink interface will not be listed.
So the only option is to create this via Command line.
Once the above is configured the policy will be created and will be seen via GUI.



.
6) Now access the FortiSwitch using FortiGate IP and custom port.




Notes.
- If multiple FortiSwitch are installed, then each
FortiSwitch should have independent virtual IP policy with change in custom-port. Add the new virtual IP policy in firewall policy as destination.
- To access
FortiSwitch via SSH then change the ports to 22 (SSH) and add the new virtual IP policy in firewall policy as destination. Mentioned below:

Virtual IP Policy.





Firewall policy.




Now it is possible to access FortiSwitch using FortiGAte IP but use custom port (2223).

Related Articles

Technical Tip: Change the port for the admin access to the firewall

Technical Tip: Virtual IP (VIP) port forwarding configuration.

Contributors