Hi there ,
we are using Fortinet 60F and it was working all good and I can login via Https , but suddenly its stop working , i cannot access it , I have tried rebooting but no luck , the only way i can access is TELNET and I am not good on CLI , i have check some basic commands , i have tried already killing the Https daemon , and check the ports (http , https) for connectivity but I am still not getting any luck , I have also checked the storage which is all good, I am not sure what the Issue is , could this be a trusted IP issue ? i don't know as i was using the same IP address to access the console before. Any help will be much appreciated :) , Thanks in Advance
Solved! Go to Solution.
today i got my firewall support renewed , and the issue was the "trusted host" , only one public IP was allowed to access it , and it was the last support company did this in intention , see below the results. I have public their public address as well.
Thanks everyone for your help @saneeshpv_FTNT @AnthonyH @smaruvala @Rajan_kohli
As a first step you can verify from the CLI by running below commands if the traffic is reaching your FortiGate appliance or not when you access GUI
# diagnose sniffer packet any 'host <PCIP>" 4
Also please check if the HTTPS service is enabled on the respective interface under
"config system interface" -> "edit <interface>" -> "show"
Best Regards,
Hi there , I have tried the first command you sent me and once i put on the screen their is only > i can see , i have tried logging in again with https but no update screen is still the same
Sorry i have no experience in working in CLI so i may be doing something wrong
Hi @AdilHamid,
You need to replace <PCIP> with your computer IP address. For example: "diagnose sniffer packet any 'host 192.168.1.100' 4'.
Regards,
More Information is on the screen below , Firewall is working but only the web Interface stops working
Hi @AdilHamid
run this command on your windows machine: ipconfig
copy your computer ip address and then use in sniffer : diagnose sniffer packet any 'host x.x.x.x' 4 0 l
replace x.x.x.x with your computer ip address
Regards
Rajan
There is typo error in the command.
Please find the right command
# diagnose sniffer packet any "host <PCIP>" 4
Note: Replace <PCIP> with your client machine IP from where you access FGT GUI.
I would request you to also check the Admin Access port for the GUI access, maybe its not the default 443.
Please also ugrade the Fimrware version to 7.2 or above as your current version is end of Eng Support. You can open a support case for upgrade recommendations.
Please also review some of the article describing initial troubleshooting for GUI access issues.
Best Regards,
Hi there ,
Sorry for late reply , yes I have tested all the commands please see below the results I tried ...
HGB-60F # diagnose sniffer packet any "port 10443"
interfaces=[any]
filters=[port 10443]
7.213406 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
10.220148 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
16.220719 192.168.101.254.51494 -> 192.168.101.1.10443: syn 900425116
70.429139 192.168.111.6.56991 -> 192.168.111.1.10443: syn 1460492924
70.430836 192.168.111.6.56992 -> 192.168.111.1.10443: syn 3826224584
70.679872 192.168.111.6.56993 -> 192.168.111.1.10443: syn 802313451
73.429239 192.168.111.6.56991 -> 192.168.111.1.10443: syn 1460492924
73.431129 192.168.111.6.56992 -> 192.168.111.1.10443: syn 3826224584
But still unable to connect
the Port and Sport info below
HGB-60F # show full-configuration | grep admin-port
set admin-port 8089
HGB-60F # show full-configuration | grep admin-sport
set admin-sport 10443
HGB-60F # show system interface Matza\ LAN
config system interface
edit "Matza LAN"
set vdom "root"
set ip 192.168.101.1 255.255.255.0
set allowaccess ping https ssh
set type hard-switch
set stp enable
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 11
As you can see the allow access for SSH as well and I am not getting just Web portal , i cannot get connect to SSH , not sure whats happening here ,
@saneeshpv_FTNT , I am not sure how I will update the firmware through the CLI ? any help please.
You firewall is listening on port 10443 and your interface configuration looks fine. Could you please also check the Local-In policy in Firewall is there for port 10443 and Fortinet Certificate is selected under config system global
To check for Local-in policy for port 10443 is available.
show firewall local-in-policy | grep 10443
Also make sure Fortinet-Factory certificate is selected under "config system global'
config system global
show | grep "admin"
Once these things are verified you can run debug using below commands and share it here.
diag debug reset
diag debug flow filter saddr 192.168.101.254
diag debug flow filter daddr 192.168.101.1
diag debug flow filter dport 10443
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable
Now try to connect to GUI from the PC 192.168.101.254 and after that you can disable debug using below command.
diag debug disable
diag debug reset
You just mentioned, you cannot connect SSH here. So how do you collect the logs? via console ?
If any of the above doesn't work you can upgrade Firmware using CLI by using TFTP method. below links will help you with steps.
Technical Tip: FortiGate TFTP Upgrade - Fortinet Community
Technical Tip: How to upgrade the FortiGate firmwa... - Fortinet Community
Even after upgrade things doesn't go well, I would recommend you open a ticket with our Support team for assistance.
Best Regards
Hi there ,
please check below , I am not seeing any Certificate information below , let me know if there is any command to add this. see below
HGB-60F # show firewall local-in-policy | grep 10443
HGB-60F # show system global
config system global
set admin-https-redirect disable
set admin-port 8089
set admin-sport 10443
set alias "FortiGate-60F"
set gui-certificates enable
set gui-fortisandbox-cloud enable
set gui-ipv6 enable
set gui-theme neutrino
set gui-wireless-opensecurity enable
set hostname "HGB-60F"
set switch-controller enable
set timezone 25
end
HGB-60F # show | grep "admin"
#config-version=FGT60F-6.4.6-FW-build1879-210520:opmode=1:vdom=0:user=admin
set admin-https-redirect disable
set admin-port 8089
set admin-sport 10443
edit "prof_admin"
config system admin
edit "admin"
set accprofile "super_admin"
config system sso-admin
config system replacemsg admin "pre_admin-disclaimer-text"
config system replacemsg admin "post_admin-disclaimer-text"
config system replacemsg nac-quar "nac-quar-admin"
<p>Your network access has been restricted due to the detection of potentially malicious traffic. Please contact your network administrator for further information.</p>
set admin enable
set admin enable
set admin-login-logs enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1866 | |
1138 | |
769 | |
447 | |
269 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.