Disabled LAN interface and now cannot access router webpage via VPN to enable it. Help!

methodman · ‎07-01-2018

Hello;

I've done something really stupid because I don't know this system very well!

Basically we've got remote connection setup using the VPN access (forticlient) which was all working fine. But I need to stop all traffic on the LAN side from going across the internet. So I've disabled the LAN interface and now although my VPN access is allowed I cannot gain access to the router webpage interface to re-enabled the LAN inference.

Can only help me out? I'm not at the location everything is remote!

Thanks

I get this message if I'm accessing the router on the public IP or via VPN connection.

I cannot access the internal network IP via VPN.

Toshi_Esumi · ‎07-01-2018

Looks like your only option seems to be accessing it via console locally. You're using SSL VPN at port 443, which is overriding HTTPS admin access (default port 443) at the outside interface. That's why you're getting that message when you tried. Once you got in the FGT , set an ip (/32), which is accessible over vpn, on ssl.root interface and enable HTTPS and SSH. Then you should be able to access it remotely over the vpn. After that, I recommend disabling HTTPS and SSH on the outside interface, which always becomes a target of hack&attack as well as cause of security audit failures. I don't think you can get in remotely in the current situation unless you've set up a backdoor access somewhere other than internal and outside interfaces. The CLI for the ssl.root interface modification is below. But use "show" command to make sure what's in before the change and after so that you can "unset" or "abort" when necessary:

config sys int

edit ssl.root

set ip [IPADDRESS] 255.255.255.255

set allowaccess ssh https

Disabled LAN interface and now cannot access router webpage via VPN to enable it. Help!

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website