Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

HTTP/HTTPS access through ssh tunnels

Hi, We were used to access the HTTP & HTTPS admin pages through SSH tunnels with MR3 & MR4 on our FortiGate 1000AFA2 and this not working on MR5 b564. The ssh client complains that " channel 1: open failed: administratively prohibited: open failed" This seems to be a ssh server issue. Does someone has noticed the same problem? Regards, Seb
4 REPLIES 4
rwpatterson
Valued Contributor III

If the tunnel is in interface mode, make sure you enable the protocols on the sub-interface.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

The device is operating in bridge mode. No configuration change has been done between the previous firmware and the update. A roll back makes the tunnel work again perfectly ... Regards, Seb
rwpatterson
Valued Contributor III

Fortinet may have rewritten the tunnel code between versions. I would put in a ticket. It may be a bug.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Richard_Bartlett
New Contributor

I can confirm this occurs with the prohibited message. ssh connects to the firewall and the authentication occurs. Usually this will allow connection to the firewall and through it. With a FG200A that was working on 2.80 bld 489 the upgraded FortiOS3.0 bld 0483 fails with: ssh-client (OpenSSH Cygwin): channel 1: open failed: administratively prohibited: open failed Firewall ' diag debug app sshd' reports: SSH: server_input_channel_open: failure direct-tcpip This is different behaviour to earlier FortiOS. The SSH engine on the firewall also appears to look at the IP address that the connection ssh-client has been bound (that is coming up the tunnel) rather than the originating IP packet that is hitting the firewall. So with my ' 127.0.0.1 23' ssh port forward config I also had to enable 127.0.0.1 in the admin address list on the firewall to get the initial tunnel establishment to work. It is more secure this way but I' d rather not buy a dedicated OpenSSH platform to achieve this task if an older FortiOS from the same major release does in fact work. SSL VPNs could replace this but I don' t want the browser authentication for an enhanced SSL tunnel and certainly can' t use the limited terminal emulation in the Java telnet client supplied in-band by Fortinet.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors