Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zmag
New Contributor

External access

FG620B 4.0 MR2 Patch 1 build 0279 I have a complete config built and ready to be tested in production. I also have a 4 hour tech call that came with the purchase and I would like to use it. In order for this to happen support needs remote access. This device is sitting in a different network so I need to edit a new port for a DSL line and create policies just for access in and browsing. I am using a spare port for a WAN link but I must be missing something. port14 , public ip static, admin access = http, https, ssh, ping It seems to me that just having this interface config with admin access I should be able to ping it, but i can not. I can ping out to any public IP from the cli. If I use that static ip in a browser from the dev (local) network it launches the GUI admin page, but it is not reachable from the outside. I created a VIP and forwarded that to the local interface of the firewall to see if that worked but it didn' t. Still can' t ping the firewall. I have a log in the Analyzer - status = deny source - my production ip destination - my VIP Policy ID- 0 <<<<----- ?? Protocal -1 Subtype - Violation Thanks in advance.
16 REPLIES 16
rwpatterson
Valued Contributor III

This all depends on your goal. To get Internet access out you need a policy from port x -> port 14, NAT enabled. For them to get into your unit, enable HTTPS and/or SSH on port 14. No VIP required for they only need to get to the management side, not the network. Access inward is on the ' Network > Interface' page. I' m using an older version. It may have moved on your version. I' m not sure.
I haven' t configured administrative hosts, actually haven' t seen that option. I assume that' s a filter for administrative access per interface?
In the ' Network -> Administrator' area, this gives the administrator rights when inside the unit. It also tells the FGT what IP subnets each admin is allowed in from. 0.0.0.0/0 is from anywhere.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
zmag
New Contributor

Exactly, My first step was to allow HTTP, HTTPS, SSH and ping on port14 for administrative access. I expected that to work. When it did not (unreachable from an external address) I thought I would create a VIP to see if that would work. It did not, that is where I got hung up. Seems to me that both of the methods should allow access into the FG unit. I' m not sure what to try next as a troubleshooting step.
ede_pfau
SuperUser
SuperUser

Scrap that policy from port14 to port14, it' s unnecessary. Same for the VIP, please delete the definition, it does things while it exists, arp and such. Disabling the policy won' t do. (For higher security you would deny access to the external port, allow access to the internal port and set up a dialup VPN. But that' s not our case here). Let' s focus on the DSL wan transfer net. You must have a DSL modem in bridge mode there, or a full fledged router. With a briding modem there is nothing to configure other than the credentials in " Network" > " Interfaces" . With a router it' s different. How do you route across it? Routes on the FG and the router for incoming traffic? How do you forward traffic to the FG? Did you open ports? And still, please check the permitted subnets for admin access in " Network" > " Administrator" . There are 3 entries all of which should be showing " 0.0.0.0/0" . I suspect the FG doesn' t know about the router' s IP/subnet and discards the packets for security reasons.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
zmag
New Contributor

I do have the dsl modem in bridge and this dsl line has worked with the prior FG config. I also am able to ping out from the firewall to any public host, so that part works. I will delete the VIP in the morning since it was really just a test and it will not be part of my final build. There is no router in this config, I have the FG as a gateway for my lan and I have a static route in the FG that sends to my external gateway. I will check the permitted subnets for admin access tommorow. I' m having a hard time getting past these basic facts; 1> My inbound traffic is blocked at FG with rule 0, 2> I have a rule that states all hosts on wan port14 can get to vip_(whatever_the_name_is) with any service, any time 3> Using my vip address from the lan does launch the admin gui. I appreciate your help and ideas, who knows, maybe the answer will come to me in a dream.
zmag
New Contributor

I am able to get in. I did delete the vip and I checked the permitted subnets, which were at default, allow all. I changed the interface ip address to one higher in the subnet and that got me in. My guess is that I have a config issue in my dsl router. Thanks to all for your help.
rwpatterson
Valued Contributor III

Glad to hear you figured it out. Can you help me with my Alcatels? LOL!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
zmag
New Contributor

I wish I could, maybe too late, maybe someone elses area but you mentioned thins loosing connection on your 10 second drops. You may want to consider ICA session reliablity. if its not already in place. Good luck.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors