Fortinet black logo

Administration Guide

Troubleshoot GUI and CLI connection issues

Troubleshoot GUI and CLI connection issues

Problem

An administrator account can connect to the advanced mode of the web UI, but not to the basic mode nor to the CLI.

Solution

Set the administrator account’s Domain to System. Domain administrators, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see FortiMail operation modes.

If you require the ability to restrict the account to specific areas of the GUI, consider using access profiles instead. For details, see Configuring admin profiles.

Problem

An administrator account's password has been misplaced, or needs to be changed but no one with the existing password is available.

Solution

Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.

The admin maintainer account feature is enabled using the following CLI command:

config system global

set admin-maintainer enable

end

Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the execute factoryreset command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.

For full configuration and procedural details, see the Cookbook recipe Resetting a lost administrator password.

Problem

Administrators cannot log in to the web UI or the CLI.

Solution

Check the following solutions.

Use correct admin name and password combination

This may be obvious, but it should be the first thing to check.

Allow access for interface is not enabled

Each FortiMail interface has a set of administrator access protocols — HTTP, HTTPS, SSH, TELNET, PING, and SNMP. These are the methods an administrator can use to connect to FortiMail; any or all can be disabled on any interface.

For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it afterwards. Failure to do so will leave a gap in your security that hackers might exploit.

To enable administrator access on the dmz interface
  1. Log on as administrator.
  2. Go to System > Network > Interface.
  3. Select the interface and click Edit.
  4. Under Access, select the protocols you want to use to access the interface.
  5. Click OK.
  6. Repeat for each interface where administrative access is required.

Trusted hosts for admin account will not allow current IP

A trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet.

If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address.

Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues
  1. Record the IP address where the administrator is attempting to log in to the FortiMail unit.
  2. Log in to the web UI and go to System > Administrator > Administrator.
  3. Select the administrator account in question and click the Edit icon.
  4. Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
  5. If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
  6. Select OK.

If the problem was due to trusted hosts, the administrator can now log in.

Accept low encryption in browsers

If you are connecting to FortiMail-VM with a trial license or to a LENC version of FortiMail, you may not be able to see the logon page due to an SSL cipher error during the connection. In this case, you must configure your browser to accept low encryption.

For example, in Mozilla Firefox, if you receive this error message:

ssl_error_no_cypher_overlap

you may need to enter about:config in the URL bar, then set

security.ssl3.rsa.rc4_40_md5 to true.

Troubleshoot GUI and CLI connection issues

Problem

An administrator account can connect to the advanced mode of the web UI, but not to the basic mode nor to the CLI.

Solution

Set the administrator account’s Domain to System. Domain administrators, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see FortiMail operation modes.

If you require the ability to restrict the account to specific areas of the GUI, consider using access profiles instead. For details, see Configuring admin profiles.

Problem

An administrator account's password has been misplaced, or needs to be changed but no one with the existing password is available.

Solution

Administrators with physical access to a FortiMail unit can use a console cable and the maintainer administrator account to log into the CLI. The maintainer account allows you to log into a FortiMail unit if you have lost all administrator passwords.

The admin maintainer account feature is enabled using the following CLI command:

config system global

set admin-maintainer enable

end

Once logged into the FortiMail unit with the maintainer account, you can reset the passwords of super-admin profile accounts, or enter the execute factoryreset command to return the FortiMail unit to its default configuration. This can be useful if the admin administrator account was deleted.

For full configuration and procedural details, see the Cookbook recipe Resetting a lost administrator password.

Problem

Administrators cannot log in to the web UI or the CLI.

Solution

Check the following solutions.

Use correct admin name and password combination

This may be obvious, but it should be the first thing to check.

Allow access for interface is not enabled

Each FortiMail interface has a set of administrator access protocols — HTTP, HTTPS, SSH, TELNET, PING, and SNMP. These are the methods an administrator can use to connect to FortiMail; any or all can be disabled on any interface.

For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it afterwards. Failure to do so will leave a gap in your security that hackers might exploit.

To enable administrator access on the dmz interface
  1. Log on as administrator.
  2. Go to System > Network > Interface.
  3. Select the interface and click Edit.
  4. Under Access, select the protocols you want to use to access the interface.
  5. Click OK.
  6. Repeat for each interface where administrative access is required.

Trusted hosts for admin account will not allow current IP

A trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet.

If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address.

Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues
  1. Record the IP address where the administrator is attempting to log in to the FortiMail unit.
  2. Log in to the web UI and go to System > Administrator > Administrator.
  3. Select the administrator account in question and click the Edit icon.
  4. Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
  5. If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
  6. Select OK.

If the problem was due to trusted hosts, the administrator can now log in.

Accept low encryption in browsers

If you are connecting to FortiMail-VM with a trial license or to a LENC version of FortiMail, you may not be able to see the logon page due to an SSL cipher error during the connection. In this case, you must configure your browser to accept low encryption.

For example, in Mozilla Firefox, if you receive this error message:

ssl_error_no_cypher_overlap

you may need to enter about:config in the URL bar, then set

security.ssl3.rsa.rc4_40_md5 to true.