Hello All,
I have a Fortigate 60D that is inaccessible via the Management IP although I can access it on the public IP. I can also access it via SSH. When the problem first presented I was on firmware 5.4.9 but I have since upgraded to 6.0.9 build0335.
No configuration changes were made and the 60D was rebooted. I checked the Trusted Hosts and the IP is listed.
Any suggestions on possible next steps?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What interface is the "Management IP" configured on? The original "internal" hardware switch interface? And are you saying you can SSH into the Management IP but can't get into via HTTPS/HTTP GUI? I'm assuming you already checked "Administrative Access" on the interface via GUI, or "allowaccess" in CLI to make sure HTTPS and/or HTTP is allowed. Right?
Thank you for your response. You are correct, I am unable to access the 60D via the GUI using HTTPS from the management IP. I can access it with no issue using the public IP. I also checked systems admins and the user is added there with the correct IP address in trusted hosts. HTTPS is allowed as well. I attached a screenshot of my interfaces for reference. I should be able to access the 60D via the 10.35.136.1 address.
Did you created a software-sw management-sw including dmz and internal7?
Fortigate's vlan-subinterfaces are not SVI. If the parent interfac is down, all subinterfaces would be down. Do you have internal7 up and that's where you're coming from?
Depending of which interface you're comring from, as orani said, you need to have a proper policy to get to the VLAN.
My guess is you can't even pint 10.35.136.1.
Correction: you created management-sw softswitch interface including 1) magement-vlan vlan subnterface and 2) internal7 physical interface.
Bottom line is don't configure a management IP that would be possibly down (including vlan subinterface). If you don't want it to be bound to any physical interface, use a loopobackinterface, then set a proper policy as orani warned.
Is there any policy accepting traffic from the point you are to the management interface?
Orestis Nikolaidis
Network Engineer/IT Administrator
You don't need a policy for admin access. Otherwise, when you default the config you can't access it. Policy is needed only coming in one interface and going out another (or same in some special cases) interface.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.