Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VS_engineer
New Contributor

Created on ‎03-27-2020 11:58 AM

Fortigate 60D inaccessible via MGMT IP

Hello All,

 

I have a Fortigate 60D that is inaccessible via the Management IP although I can access it on the public IP. I can also access it via SSH. When the problem first presented I was on firmware 5.4.9 but I have since upgraded to 6.0.9 build0335.

 

No configuration changes were made and the 60D was rebooted. I checked the Trusted Hosts and the IP is listed. 

 

Any suggestions on possible next steps?  

Labels:
5145
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-27-2020 01:28 PM

What interface is the "Management IP" configured on? The original "internal" hardware switch interface? And are you saying you can SSH into the Management IP but can't get into via HTTPS/HTTP GUI? I'm assuming you already checked "Administrative Access" on the interface via GUI, or "allowaccess" in CLI to make sure HTTPS and/or HTTP is allowed. Right?

3677
0 Kudos
VS_engineer
New Contributor
In response to Toshi_Esumi

Created on ‎03-27-2020 02:59 PM

Thank you for your response. You are correct, I am unable to access the 60D via the GUI using HTTPS from the management IP. I can access it with no issue using the public IP. I also checked systems admins and the user is added there with the correct IP address in trusted hosts.  HTTPS is allowed as well. I attached a screenshot of my interfaces for reference. I should be able to access the 60D via the 10.35.136.1 address. 

Preview file
211 KB
3677
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to VS_engineer

Created on ‎03-27-2020 03:28 PM

Did you created a software-sw management-sw including dmz and internal7?

Fortigate's vlan-subinterfaces are not SVI. If the parent interfac is down, all subinterfaces would be down. Do you have internal7 up and that's where you're coming from?

Depending of which interface you're comring from, as orani said, you need to have a proper policy to get to the VLAN.

My guess is you can't even pint 10.35.136.1.

3677
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎03-27-2020 03:32 PM

Correction: you created management-sw softswitch interface including 1) magement-vlan vlan subnterface and 2) internal7 physical interface.

 

3677
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎03-27-2020 03:45 PM

Bottom line is don't configure a management IP that would be possibly down (including vlan subinterface). If you don't want it to be bound to any physical interface, use a loopobackinterface, then set a proper policy as orani warned.

 

3677
0 Kudos
orani
Contributor II

Created on ‎03-27-2020 01:29 PM

Is there any policy accepting traffic from the point you are to the management interface?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
3677
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-27-2020 01:35 PM

You don't need a policy for admin access. Otherwise, when you default the config you can't access it. Policy is needed only coming in one interface and going out another (or same in some special cases) interface.

3676
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.