Users also connect to our fortigate to access the network remotely using SSL VPN with the FortiClient software installed on their PCs or using the SSL web portal.,SSL VPN works well and is very configurable for controlling access to internal network resources based on user groups. Downloadable VM for emulation. Hello, I'm new to this forum (and to Fortigate/FortiOS). Is there a downloadable virtual-machine version of FortiOS? (Specifically for the Fortigate 300c or something close).
Learning has never been so easy!
I wanted to post these step by step instructions to help anyone who is having issues accessing their Fortinet firewalls GUI interface. This is a common issue when users make changes to the firewall and inadvertently lock them selves out of the firewall.
3 Steps total
Step 1: Confirm that the access is permitted on the interface you are connecting to
Often times when a client changes their ISP, they will elect to use a different port on the firewall to make the migration easier. What the often forget to do is allow the management connection on the new port. Here is a snapshot of what you need to add to the interface.
The command:
set allowaccess
set allowaccess
Actual firewall context:
edit 'wan1'
set vdom 'root'
set ip aaa.bbb.ccc.ddd 255.255.255.0
set allowaccess ping https ssh
edit 'wan1'
set vdom 'root'
set ip aaa.bbb.ccc.ddd 255.255.255.0
set allowaccess ping https ssh
Step 2: Confirm what you management port is set to
![Review Review](/uploads/1/2/5/6/125673933/504580946.jpg)
In the 4.3.x GUI you would go to the Systems > Admin > Settings page, but if your GUI is off line you will need to check the settings in 'config system global'. If you are configured for non-standard ports then you will see something like the example below.
![Fortigate Fortigate](http://getintopc.com/wp-content/uploads/2013/07/Vmware-Player-Download-run-xp-on-windows-8.jpg)
This situation can happen when SSL VPN is configured on the firewall and the Admin changes the default SSL port from 10443 to 443, then changes the firewall's HTTPS management port to a nonstandard port.
In this example I have HTTP listening on 88 and HTTPS on 444:
show sys global
config system global
set admin-port 88
set admin-port 88
Step 3: Confirm you IP address is allowed to manage the firewall
Make sure that the firewall is not restricting access to only trusted hosts or if it is make sure that your Host/Network is added to the list of trusted hosts.
This one happens to a lot of clients when they change internal IP addresses and forget to update their trusted hosts list.
In the GUI go to System > Admin > Administrators. Then select the admin account and verify the trusted host information.
In the CLI do the following command. You can see that in this example THadmin is restricted to only connect from the 192.168.1.0/24 network, but NoTHadmin has no such restriction. I have removed the dashboard-tabs and dashboard output for easier reading.
sho sys admin
config system admin
edit 'noTHadmin'
set accprofile 'super_admin'
set vdom 'root'
set password ENC
next
edit 'THadmin'
set trusthost1 192.168.1.0 255.255.255.0
next
edit 'noTHadmin'
set accprofile 'super_admin'
set vdom 'root'
set password ENC
next
edit 'THadmin'
set trusthost1 192.168.1.0 255.255.255.0
next
end
There are other types of misconfigurations that can cause the issue described, but these are the three most common that I have come across in the 300+ Fortinet firewalls I have deployed and/or supported for clients.
I hope you find this document useful.
8 Comments
- CayenneShaunS Apr 25, 2013 at 09:10pmYou nailed it :) Too bad you can't add this to the FortiNet cookbook available online at docs.fortinet.com
- SonoraiWeasel Apr 6, 2016 at 10:28amYou know those times when you just know that the problem you are having is something really quite straightforward, but for some reason you cannot see the wood for the trees? Well, I have just had such a moment; your step 3 was the light in the darkness! Thanks!
- Pimientoshreyar Sep 22, 2016 at 11:17amHi,I just deployed a Fortigate firewall VM and have assigned an IP addess to it but I am not able to access the GUI of the firewal.Show system interfaces shows as;
config system interface
edit 'port1'
set vdom 'root'
set ip 10.96.71.3 255.255.224.0
set allowaccess ping https ssh http
set type physical
set snmp-index 1nextget system global shows admin port as 80, admin sport as 443Can you help me why I am not able to access the web UI.Thanks,
Shreyathis is the port i am using to access the GUI of the firewall - PimientoAdvatekUK Jan 30, 2018 at 11:00pmShreya. Add fmgaccess into the set allow access portion information the config and the admin page should appear.
- PimientoMiguel_Salazar Apr 23, 2018 at 04:03pmIn my case: Step 2: Confirm what you management port is set toI only changed the default port: 443 to 20443 and I recovered the access GUI.Later change again to the default port: 20443 to 443.
- Pimientoangelakariuki May 22, 2018 at 04:26amHi guys how can I enable telnet to my network from external sources?
- Pimientospicehead-d9smg Sep 20, 2019 at 04:39amI have change internal IP addresses and forget to update their trusted hosts list.Now I am not able to access GUI.
- Pimientospicehead-d9smg Sep 20, 2019 at 05:54amHow to reset a fortigate firewall 100e through cli commands.