Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bapoo55
New Contributor

Created on ‎04-07-2024 05:51 AM

Want to enable ping and web access on SP1 port of FGR-60F

Hi,

In my testing lab, we have a Fortinet FW 60F. Only SFP1 and SFP2 are used. SFP1, which is our downlink, is connected to a ring of switches (RSTP enabled) on the 192.168.15.X/24 network. I assigned the IP of SFP1 as 192.168.15.44, and the uplink SFP2 is not configured.

I want to achieve the following tasks:

1. We have a server (SRV) on the 192.168.15.X/24 network, and I want to send a ping from it to my firewall.

2. I want to access the web interface of the firewall from the SRV at 192.168.15.44.

Please guide me on how to accomplish these tasks.

 

Labels:
373
0 Kudos
8 REPLIES 8
asoni
Staff
Staff

Created on ‎04-07-2024 05:55 AM

Greetings,

 

you can enable https, ping and ssh under interface settings in order to take GUI access, SSH access and to ping Fortigate interface from your server. you can also refer following document to check best practices for admin access.

https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administra...

369
Rajan_kohli
Staff
Staff

Created on ‎04-07-2024 06:44 AM

Hi @Bapoo55,

 

You can enable ping HTTP and HTTPS through cli as shown below:

 

config system interface

edit <interface-name>-------->SFP1 interface name

set allowaccess https http ping

end

 

Regards

Rajan Kohli

Rajan Kohli
345
Bapoo55
New Contributor
In response to Rajan_kohli

Created on ‎04-08-2024 02:12 AM

I believe it's the same if you enable it through the GUI for Wan1. I checked that when I connect my PC to Wan1, I am able to ping and access the web ( through .15 network). However, I am still unable to ping and access the web through the SFP1 interface.

Do I need to separately enable HTTP and HTTPS for SFP1 through the CLI? If this is the case, please specify what the interface name will be. I am encountering errors in the CLI.

Thank you.

294
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎04-08-2024 05:40 AM

You need to do 2 things:

  1. Enable management protocols on the interface you are trying to reach - https/ping
  2. Set trusted host(s) for your admin username in Fortigate to be allowed to access the interface. System -> Administrators
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
281
Bapoo55
New Contributor
In response to Yurisk

Created on ‎04-08-2024 06:10 AM

dear @Yurisk, the first point is already I did on WAN1 for SFP1 interface and when I set trusted host ( 192.168.15.0/24) for admin with with super admin profile, I lost my web access on default IP 192.168.1.99 and also not able to ping and access on 192.168.15.0/24 network.

Below are my additional queries:

Is WAN1 is same as SFP1?

Do we need any policy to allow?

273
0 Kudos
AEK
SuperUser
SuperUser
In response to Bapoo55

Created on ‎04-08-2024 07:22 AM

Hi @Bapoo55 

First it is not recommended to enable management access on WAN interface. Try disable it and enable it on a local LAN interface.

Usually you enable it on the management interface (usually mgmt, mgmt1 or mgmt2), or on internal LAN interface.

I understand from your post that SFP1 is an internal interface and has IP 192.168.15.44, then you just need to edit this interface from GUI, enable PING, HTTP and HTTPS, then click OK.

AEK
AEK
259
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎04-08-2024 06:32 AM

It means you were connected to the LAN interface of the FGT. To be able to access from the LAN as well as WAN - add your LAN range to the trusthost as well - 192.168.1.0/24. 

 

WAN1 is SPF1 indeed. No, you do not need additional policies except Trustedhost. 

 

Make sure you know for sure source IP you are coming from to WAN1/LAN interfaces of the FGT. Unless you have Local-in policy as well (on new devices it is off by default) there is no other reason not to be able to access management of the FGT. 

 

Not seeing the whole picture of your topology it is hard to take into account any additional details that can cause this, but basics are like that - enable management protocol and set trusthost accordingly, nothing more.

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
265
0 Kudos
dbhavsar
Staff
Staff

Created on ‎04-08-2024 07:35 AM

Hello @AEK ,

 

If you still face the issue can you please collect the debugs to see why is it getting dropped/denied?

di de reset
diagnose debug flow filter addr xx.xx.xx.xx yy.yy.yy.yy and<--- xx = SourceIP, yy= DestinationIP
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 20

DNB
254
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.