Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aneagoe
New Contributor

Cannot use WebUI on loopback interface (ssh works fine)

Hello,

 

I've setup a fortigate with a loopback interface that will be used to refer to this fortigate for everything (eg BGP router-id, DNS entry etc.). I'm stuck now at a point where I can't use the WebUI against the loopback interface. This seems to be dropped by iprope_in_check(), however I can't find a single policy that would block that. I don't use trusthost since I have set local-in-policy to restrict inbound WAN traffic for MGMT. The intention is to allow all internal networks to reach and manage the fortigate (I know it's a bit permissive, but for starters it's ok). SSH traffic is passing happily through to the loopback interface, also HTTP. But not HTTPS (ie port 8443, the default HTTPS admin port). Doing a packet trace shows the following (obfuscated some names with XXXX):

2019-02-27 08:29:13 id=20085 trace_id=348 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 192.168.10.210:41694->10.40.255.253:8443) from XXXX. flag , seq 4023434865, ack 0, win 29200"
2019-02-27 08:29:13 id=20085 trace_id=348 func=init_ip_session_common line=5470 msg="allocate a new session-00013f44"
2019-02-27 08:29:13 id=20085 trace_id=348 func=vf_ip_route_input_common line=2576 msg="find a route: flag=80000000 gw-10.40.255.253 via root"
2019-02-27 08:29:13 id=20085 trace_id=348 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2019-02-27 08:29:14 id=20085 trace_id=349 func=print_pkt_detail line=5311 msg="vd-root received a packet(proto=6, 192.168.10.210:41694->10.40.255.253:8443) from XXXX. flag , seq 4023434865, ack 0, win 29200"
2019-02-27 08:29:14 id=20085 trace_id=349 func=init_ip_session_common line=5470 msg="allocate a new session-00013f45"
2019-02-27 08:29:14 id=20085 trace_id=349 func=vf_ip_route_input_common line=2576 msg="find a route: flag=80000000 gw-10.40.255.253 via root"
2019-02-27 08:29:14 id=20085 trace_id=349 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"

 

I pasted below the relevant config bits (that I could think of):

# show sys interface loopback config system interface     edit "loopback"         set vdom "root"         set ip 10.40.255.253 255.255.255.255         set allowaccess ping https ssh http fgfm         set type loopback         set snmp-index 19     next end # show firewall addrgrp allow_wan_localpolicy config firewall addrgrp     edit "allow_wan_localpolicy"         set member "fg2_wan" "fg3_wan"     next end # show firewall address fg2_wan config firewall address     edit "fg2_wan"         set subnet x.x.x.x 255.255.255.255     next end # show firewall address fg3_wan config firewall address     edit "fg3_wan"         set subnet y.y.y.y 255.255.255.255     next end # show firewall address wan_interface config firewall address     edit "wan_interface"         set associated-interface "wan1"     next end # show firewall addrgrp private_ipv4 config firewall addrgrp     edit "private_ipv4"         set member "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"     next end # show firewall address 10.0.0.0/8 config firewall address     edit "10.0.0.0/8"         set subnet 10.0.0.0 255.0.0.0     next end # show firewall address 172.16.0.0/12 config firewall address     edit "172.16.0.0/12"         set subnet 172.16.0.0 255.240.0.0     next end # show firewall address 192.168.0.0/16 config firewall address     edit "192.168.0.0/16"         set subnet 192.168.0.0 255.255.0.0     next end # show firewall policy config firewall policy     edit 1         set srcintf "any"         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set nat enable     next     edit 2         set srcintf "any"         set dstintf "any"         set srcaddr "private_ipv4"         set dstaddr "private_ipv4"         set action accept         set schedule "always"         set service "ALL"     next end # show firewall local-in-policy config firewall local-in-policy     edit 1         set intf "wan1"         set srcaddr "allow_wan_localpolicy"         set dstaddr "wan_interface"         set action accept         set service "SSH" "HTTPS"         set schedule "always"     next     edit 2         set intf "wan1"         set srcaddr "all"         set dstaddr "wan_interface"         set service "SSH" "HTTPS" "SIP" "BGP" "SCCP"         set schedule "always"     next end

 

Any thoughts on what I could try next?

 

Thanks,

Andrei

2 REPLIES 2
aneagoe
New Contributor

Ok, it's my own fault for jumping to conclusions. I've made the assumption that the default HTTPS port is for a new fortigate 8443, which does not seem to be the case. I found it to be either 443 or even 4443. After updating the HTTPS port accordingly, it all went well. Sorry for the useless post, couldn't really find a delete button :(

ede_pfau
Esteemed Contributor III

The default HTTPS port is 443.

 

And your post is not even near to useless. Each vendor has it's own conventions, in this case for the default ports. Someone new to Fortigates might read this in the future, and you've already solved it.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors