Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VS_engineer
New Contributor

Fortigate 60D inaccessible via MGMT IP

Hello All,

 

I have a Fortigate 60D that is inaccessible via the Management IP although I can access it on the public IP. I can also access it via SSH. When the problem first presented I was on firmware 5.4.9 but I have since upgraded to 6.0.9 build0335.

 

No configuration changes were made and the 60D was rebooted. I checked the Trusted Hosts and the IP is listed. 

 

Any suggestions on possible next steps?  

7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

What interface is the "Management IP" configured on? The original "internal" hardware switch interface? And are you saying you can SSH into the Management IP but can't get into via HTTPS/HTTP GUI? I'm assuming you already checked "Administrative Access" on the interface via GUI, or "allowaccess" in CLI to make sure HTTPS and/or HTTP is allowed. Right?

VS_engineer

Thank you for your response. You are correct, I am unable to access the 60D via the GUI using HTTPS from the management IP. I can access it with no issue using the public IP. I also checked systems admins and the user is added there with the correct IP address in trusted hosts.  HTTPS is allowed as well. I attached a screenshot of my interfaces for reference. I should be able to access the 60D via the 10.35.136.1 address. 

Toshi_Esumi

Did you created a software-sw management-sw including dmz and internal7?

Fortigate's vlan-subinterfaces are not SVI. If the parent interfac is down, all subinterfaces would be down. Do you have internal7 up and that's where you're coming from?

Depending of which interface you're comring from, as orani said, you need to have a proper policy to get to the VLAN.

My guess is you can't even pint 10.35.136.1.

Toshi_Esumi

Correction: you created management-sw softswitch interface including 1) magement-vlan vlan subnterface and 2) internal7 physical interface.

 

Toshi_Esumi

Bottom line is don't configure a management IP that would be possibly down (including vlan subinterface). If you don't want it to be bound to any physical interface, use a loopobackinterface, then set a proper policy as orani warned.

 

orani
Contributor II

Is there any policy accepting traffic from the point you are to the management interface?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Toshi_Esumi
SuperUser
SuperUser

You don't need a policy for admin access. Otherwise, when you default the config you can't access it. Policy is needed only coming in one interface and going out another (or same in some special cases) interface.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors