Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
todo
New Contributor

Created on ‎03-06-2025 02:03 PM

HTTPS access via GUI broken after changing FAC400E IP address

Hello all.   Any and all help is greatly appreciated.  We have two FAC400Es, both running 6.6.2.  We recently changed the IP address of one of them and lost HTTPS access.  The FAC is reachable from anywhere on the network, does not appear to be a routing issue.  About 10 mins or so after the new IP was configured I cleared the cache on my browser and actually had HTTPS access.  I tried to access the FAC roughly 24 hours later and it hasn't worked since.

 

Other T-Shooting Steps/Points

 

-tried multiple browsers including Chrome, Firefox and Edge

-we do not have any security devices between the two points, HTTPS access worked prior to the IP address change on the FAC

-power cycled the FAC multiple Times

-confirmed we do not have access to the FAC from multiple source IP spaces

 

===========================================================================

Config is below:

 

> show config
config router static
edit 3
set device port1
set dst 0.0.0.0/0
set gateway 10.46.200.1
next
end
config system interface
edit port1
set ip 10.46.200.12/255.255.255.0
set mtu 1500
set allowaccess snmp ssh https-fabric https-gui
next
end
config system dns
set primary 10.46.0.187
set secondary 10.46.0.188
end
config system ha
set mode enable
set role loadbalancer
end
config system global
set admin-maintainer enabled
set timezone 4
end

Labels:
272
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎03-07-2025 03:15 AM

Hi Todo

  • Are you still able to access via SSH?
  • Is it accessible via HTTPS from the same subnet?
  • What kind of message do you get on the browser when FAC is not accessible?
  • What do you get when you try access from your cli? E.g.: wget https://x.x.x.x --no-check-certificate

If you still have ssh access, try the enable HTTP then try access on port 80.

config system interface 
  edit port1 
    set allowaccess ssh http-gui https-gui 
  next
end
AEK
AEK
248
0 Kudos
todo
New Contributor
In response to AEK

Created on ‎03-07-2025 08:13 AM

AEK,

 

Hello and thank you for your assistance on this matter.  

 

-SSH - Yes, we've always had SSH access via the CLI

-accessible via HTTPS from same subnet - We have not tested this yet because we do not have a computer on the new subnet we just spun up  the FAC in question is a part of (I will test this next week)

-the message we get in Firefox is below:

=============================

The connection has timed out

An error occurred during a connection to 10.46.200.12.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

=============================

-I'm not aware of a way to access/test HTTPS access via the CLI?  The "wget" command is not available, only "get" with the below options:

 

>
config Configure settings.
diagnose Diagnose facility.
execute Execute command.
exit Exit from the CLI.
get GET command.
show Show bootstrap configuration.
> get
system Display system information.
hardware Display hardware information.
disk Display disk info.
raid Display RAID information.
psu-monitor Monitor power supplies.
> get

227
0 Kudos
todo
New Contributor
In response to todo

Created on ‎03-07-2025 09:23 AM

Oh and I did add the "http-gui" for port 80 and same result.  It gives me the same error of simply not responding.  A test-netconnection from power shell indicates both ports 80 and 443 are open.

214
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-07-2025 11:30 AM

Hi Todo

I mean "wget" from your laptop's CLI, not from FAC's CLI. The result will be an html file, once done try open it and see what it contains.

AEK
AEK
204
0 Kudos
todo
New Contributor
In response to AEK

Created on ‎03-12-2025 09:55 AM

AEK,

 

Here are the results of a wget: (it just said "connected" and that was it)

 

C:\>wget https://10.46.200.12
--2025-03-12 09:52:25-- https://10.46.200.12/
Connecting to 10.46.200.12:443... connected.
^C
C:\>
C:\>
C:\>
C:\>wget https://10.46.200.12 --no-check-certificate
--2025-03-12 09:53:04-- https://10.46.200.12/
Connecting to 10.46.200.12:443... connected.

126
0 Kudos
AEK
SuperUser
SuperUser
In response to todo

Created on ‎03-12-2025 10:21 AM

I see from the output there is a connection but no downloaded file. My guess is an issue with the web server.

I can't find such bug in the known issues list. If I had the same issue I'd do the following:

  1. Rollback the network config to the old IP (I assume this will fix the issue)
  2. Configure a second interface (port2) with the new IP if required
  3. Once the second interface works you can disable the first port if required
AEK
AEK
124
0 Kudos
firacode
New Contributor II

Created on ‎03-07-2025 11:14 PM

The loss of HTTPS access after changing the FAC400E IP address may be due to cached sessions, certificate mismatches, or incorrect access settings. Ensure https-gui is enabled using show full-configuration | grep allowaccess, flush DNS and ARP cache, and restart the web service with diagnose system httpd restart. If the issue persists, check logs (diagnose debug application httpsd -1) for errors, try accessing via an incognito window, or reset HTTPS settings with execute reset factory-https. Also, check out FiraCode for better code formatting!

176
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.