Hi,
In my testing lab, we have a Fortinet FW 60F. Only SFP1 and SFP2 are used. SFP1, which is our downlink, is connected to a ring of switches (RSTP enabled) on the 192.168.15.X/24 network. I assigned the IP of SFP1 as 192.168.15.44, and the uplink SFP2 is not configured.
I want to achieve the following tasks:
1. We have a server (SRV) on the 192.168.15.X/24 network, and I want to send a ping from it to my firewall.
2. I want to access the web interface of the firewall from the SRV at 192.168.15.44.
Please guide me on how to accomplish these tasks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Greetings,
you can enable https, ping and ssh under interface settings in order to take GUI access, SSH access and to ping Fortigate interface from your server. you can also refer following document to check best practices for admin access.
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administra...
Hi @Bapoo55,
You can enable ping HTTP and HTTPS through cli as shown below:
config system interface
edit <interface-name>-------->SFP1 interface name
set allowaccess https http ping
end
Regards
Rajan Kohli
I believe it's the same if you enable it through the GUI for Wan1. I checked that when I connect my PC to Wan1, I am able to ping and access the web ( through .15 network). However, I am still unable to ping and access the web through the SFP1 interface.
Do I need to separately enable HTTP and HTTPS for SFP1 through the CLI? If this is the case, please specify what the interface name will be. I am encountering errors in the CLI.
Thank you.
You need to do 2 things:
dear @Yurisk, the first point is already I did on WAN1 for SFP1 interface and when I set trusted host ( 192.168.15.0/24) for admin with with super admin profile, I lost my web access on default IP 192.168.1.99 and also not able to ping and access on 192.168.15.0/24 network.
Below are my additional queries:
Is WAN1 is same as SFP1?
Do we need any policy to allow?
Hi @Bapoo55
First it is not recommended to enable management access on WAN interface. Try disable it and enable it on a local LAN interface.
Usually you enable it on the management interface (usually mgmt, mgmt1 or mgmt2), or on internal LAN interface.
I understand from your post that SFP1 is an internal interface and has IP 192.168.15.44, then you just need to edit this interface from GUI, enable PING, HTTP and HTTPS, then click OK.
It means you were connected to the LAN interface of the FGT. To be able to access from the LAN as well as WAN - add your LAN range to the trusthost as well - 192.168.1.0/24.
WAN1 is SPF1 indeed. No, you do not need additional policies except Trustedhost.
Make sure you know for sure source IP you are coming from to WAN1/LAN interfaces of the FGT. Unless you have Local-in policy as well (on new devices it is off by default) there is no other reason not to be able to access management of the FGT.
Not seeing the whole picture of your topology it is hard to take into account any additional details that can cause this, but basics are like that - enable management protocol and set trusthost accordingly, nothing more.
Hello @AEK ,
If you still face the issue can you please collect the debugs to see why is it getting dropped/denied?
di de reset
diagnose debug flow filter addr xx.xx.xx.xx yy.yy.yy.yy and<--- xx = SourceIP, yy= DestinationIP
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 20
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.