Troubleshoot GUI and CLI connection issues
An administrator account can connect to the advanced mode of the web UI, but not to the basic mode nor to the CLI.
Set the administrator account’s Domain to System. Domain administrators, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see FortiMail operation modes.
If you require the ability to restrict the account to specific areas of the GUI, consider using access profiles instead. For details, see Configuring admin profiles.
An administrator account's password has been misplaced, or needs to be changed but no one with the existing password is available.
Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.
The admin maintainer account feature is enabled using the following CLI command:
config system global
set admin-maintainer enable
Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the
execute factoryreset command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.
For full configuration and procedural details, see the Cookbook recipe Resetting a lost administrator password.
Administrators cannot log in to the web UI or the CLI.
Check the following solutions.
Use correct admin name and password combination
This may be obvious, but it should be the first thing to check.
Allow access for interface is not enabled
Each FortiMail interface has a set of administrator access protocols — HTTP, HTTPS, SSH, TELNET, PING, and SNMP. These are the methods an administrator can use to connect to FortiMail; any or all can be disabled on any interface.
For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it afterwards. Failure to do so will leave a gap in your security that hackers might exploit.
To enable administrator access on the dmz interface
- Log on as administrator.
- Go to System > Network > Interface.
- Select the interface and click Edit.
- Under Access, select the protocols you want to use to access the interface.
- Click OK.
- Repeat for each interface where administrative access is required.
Trusted hosts for admin account will not allow current IP
A trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet.
If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address.
Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.
To verify trusted host login issues
- Record the IP address where the administrator is attempting to log in to the FortiMail unit.
- Log in to the web UI and go to System > Administrator > Administrator.
- Select the administrator account in question and click the Edit icon.
- Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
- If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
- Select OK.
If the problem was due to trusted hosts, the administrator can now log in.
Accept low encryption in browsers
If you are connecting to FortiMail-VM with a trial license or to a LENC version of FortiMail, you may not be able to see the logon page due to an SSL cipher error during the connection. In this case, you must configure your browser to accept low encryption.
For example, in Mozilla Firefox, if you receive this error message:
you may need to enter
about:config in the URL bar, then set