Troubleshoot GUI and CLI connection issues

Problem

An administrator account can connect to the advanced mode of the web UI, but not to the basic mode nor to the CLI.

Solution

Set the administrator account’s Domain to System. Domain administrators, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see “FortiMail operation modes” on page 22.

If you require the ability to restrict the account to specific areas of the GUI, consider using access profiles instead. For details, see “Configuring access profiles” on page 297.

Problem

Administrators cannot log in to the web UI or the CLI.

Solution

Use correct admin name and password combination

This may be obvious, but it should be the first thing to check.

Allow access for interface is not enabled

Each FortiMail interface has a set of administrator access protocols — HTTP, HTTPS, SSH, TELNET, PING, and SNMP. These are the methods an administrator can use to connect to FortiMail; any or all can be disabled on any interface.

For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it afterwards. Failure to do so will leave a gap in your security that hackers might exploit.

To enable administrator access on the dmz interface

1. Logon as administrator.
2. Go to System > Network > Interface.
3. Select the interface and click Edit.
4. Under Access, select the protocols you want to use to access the interface.
5. Click OK.
6. Repeat for each interface where administrative access is required.

Trusted hosts for admin account will not allow current IP

A trusted host is a secure location where an administrator logs in. For example, on a secure network an administrator can to log in from an internal subnet but not from the Internet.

If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted host address.

Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues

1. Record the IP address where the administrator is attempting to log in to the FortiMail unit.
2. Log in to the web UI and go to System > Administrator > Administrator.
3. Select the administrator account in question and click the Edit
4. Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
5. If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
6. Select OK.

If the problem was due to trusted hosts, the administrator can now log in.