Fortigate60F , Unable to login Via Web Portal anymore. only CLI working

AdilHamid · ‎02-23-2024

Hi there ,

we are using Fortinet 60F and it was working all good and I can login via Https , but suddenly its stop working , i cannot access it , I have tried rebooting but no luck , the only way i can access is TELNET and I am not good on CLI , i have check some basic commands , i have tried already killing the Https daemon , and check the ports (http , https) for connectivity but I am still not getting any luck , I have also checked the storage which is all good, I am not sure what the Issue is , could this be a trusted IP issue ? i don't know as i was using the same IP address to access the console before. Any help will be much appreciated :) , Thanks in Advance

AdilHamid · ‎03-01-2024

today i got my firewall support renewed , and the issue was the "trusted host" , only one public IP was allowed to access it , and it was the last support company did this in intention , see below the results. I have public their public address as well.

Thanks everyone for your help @saneeshpv_FTNT @AnthonyH @smaruvala @Rajan_kohli

View solution in original post

saneeshpv_FTNT · ‎02-23-2024

@AdilHamid

As a first step you can verify from the CLI by running below commands if the traffic is reaching your FortiGate appliance or not when you access GUI

# diagnose sniffer packet any 'host <PCIP>" 4

Also please check if the HTTPS service is enabled on the respective interface under

"config system interface" -> "edit <interface>" -> "show"

Best Regards,

AdilHamid · ‎02-23-2024

Hi there , I have tried the first command you sent me and once i put on the screen their is only > i can see , i have tried logging in again with https but no update screen is still the same

Sorry i have no experience in working in CLI so i may be doing something wrong

hbac · ‎02-24-2024

Hi @AdilHamid,

You need to replace <PCIP> with your computer IP address. For example: "diagnose sniffer packet any 'host 192.168.1.100' 4'.

Regards,

AdilHamid · ‎02-23-2024

More Information is on the screen below , Firewall is working but only the web Interface stops working

Rajan_kohli · ‎02-25-2024

Hi @AdilHamid

run this command on your windows machine: ipconfig

copy your computer ip address and then use in sniffer : diagnose sniffer packet any 'host x.x.x.x' 4 0 l

replace x.x.x.x with your computer ip address

Regards

Rajan

Rajan Kohli

saneeshpv_FTNT · ‎02-25-2024

@AdilHamid

There is typo error in the command.

Please find the right command

# diagnose sniffer packet any "host <PCIP>" 4

Note: Replace <PCIP> with your client machine IP from where you access FGT GUI.

I would request you to also check the Admin Access port for the GUI access, maybe its not the default 443.

show full | grep admin-port

set admin-port 80

show full | grep admin-sport

set admin-sport 443

Please also ugrade the Fimrware version to 7.2 or above as your current version is end of Eng Support. You can open a support case for upgrade recommendations.

Please also review some of the article describing initial troubleshooting for GUI access issues.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Cannot-access-the-FortiGate-web-admi...

Best Regards,

AdilHamid · ‎02-26-2024

Hi there ,

Sorry for late reply , yes I have tested all the commands please see below the results I tried ...

HGB-60F # diagnose sniffer packet any "port 10443"
interfaces=[any]
filters=[port 10443]
7.213406 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
10.220148 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
16.220719 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
70.429139 192.168.111.6.56991 -> 192.168.111.1.10443: syn 1460492924
70.430836 192.168.111.6.56992 -> 192.168.111.1.10443: syn 3826224584
70.679872 192.168.111.6.56993 -> 192.168.111.1.10443: syn 802313451
73.429239 192.168.111.6.56991 -> 192.168.111.1.10443: syn 1460492924
73.431129 192.168.111.6.56992 -> 192.168.111.1.10443: syn 3826224584

But still unable to connect

the Port and Sport info below

HGB-60F # show full-configuration | grep admin-port
set admin-port 8089

HGB-60F # show full-configuration | grep admin-sport
set admin-sport 10443

HGB-60F # show system interface Matza\ LAN
config system interface
edit "Matza LAN"
set vdom "root"
set ip 192.168.101.1 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 11

As you can see the allow access for SSH as well and I am not getting just Web portal , i cannot get connect to SSH , not sure whats happening here ,

@saneeshpv_FTNT , I am not sure how I will update the firmware through the CLI ? any help please.

saneeshpv_FTNT · ‎02-27-2024

@AdilHamid

You firewall is listening on port 10443 and your interface configuration looks fine. Could you please also check the Local-In policy in Firewall is there for port 10443 and Fortinet Certificate is selected under config system global

To check for Local-in policy for port 10443 is available.

show firewall local-in-policy | grep 10443

Also make sure Fortinet-Factory certificate is selected under "config system global'

config system global
show | grep "admin"

Once these things are verified you can run debug using below commands and share it here.

diag debug reset
diag debug flow filter saddr 192.168.101.254
diag debug flow filter daddr 192.168.101.1
diag debug flow filter dport 10443
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

Now try to connect to GUI from the PC 192.168.101.254 and after that you can disable debug using below command.

diag debug disable
diag debug reset

You just mentioned, you cannot connect SSH here. So how do you collect the logs? via console ?

If any of the above doesn't work you can upgrade Firmware using CLI by using TFTP method. below links will help you with steps.

Technical Tip: FortiGate TFTP Upgrade - Fortinet Community

Technical Tip: How to upgrade the FortiGate firmwa... - Fortinet Community

Even after upgrade things doesn't go well, I would recommend you open a ticket with our Support team for assistance.

Best Regards

AdilHamid · ‎02-29-2024

Hi there ,

please check below , I am not seeing any Certificate information below , let me know if there is any command to add this. see below

HGB-60F # show firewall local-in-policy | grep 10443

HGB-60F # show system global
config system global
set admin-https-redirect disable
set admin-port 8089
set admin-sport 10443
set alias "FortiGate-60F"
set gui-certificates enable
set gui-fortisandbox-cloud enable
set gui-ipv6 enable
set gui-theme neutrino
set gui-wireless-opensecurity enable
set hostname "HGB-60F"
set switch-controller enable
set timezone 25
end

HGB-60F # show | grep "admin"
#config-version=FGT60F-6.4.6-FW-build1879-210520:opmode=1:vdom=0:user=admin
set admin-https-redirect disable
set admin-port 8089
set admin-sport 10443
edit "prof_admin"
config system admin
edit "admin"
set accprofile "super_admin"
config system sso-admin
config system replacemsg admin "pre_admin-disclaimer-text"
config system replacemsg admin "post_admin-disclaimer-text"
config system replacemsg nac-quar "nac-quar-admin"
<p>Your network access has been restricted due to the detection of potentially malicious traffic. Please contact your network administrator for further information.</p>
set admin enable
set admin enable
set admin-login-logs enable