Technical Tip: How to take the SSH access of the other host from FortiGate device

nithincs · ‎07-18-2023

Description

This article describes how to use FortiGate as an SSH client to log in and access another host device.

Scope

FortiGate.

Solution

Login to the FortiGate CLI console or through Putty using SSH or Telnet.

Use the below command syntax to log in to FortiGate.

execute ssh <user@host> [port]

Example:

exe ssh admin@172.16.0.254

In case, the SSH server is using customer port number (2202), then, it is necessary to execute the command as shown below:

exe ssh admin@172.16.0.254 2202

By default, FortiGate will check the routing table for the SSH server IP and select the egress interfaces IP as a source IP to connect the server.

ACTIVE # exe ssh admin@172.16.0.254
Warning: Permanently added '172.16.0.254' (ED25519) to the list of known hosts.
admin@172.16.0.254's password:

ACTIVE # ACTIVEuter info routing-table details 172.16.0.254

Routing table for VRF=0
Routing entry for 172.16.0.0/24
Known via connected, distance 0, metric 0, best
* is directly connected, port1 <- SSH server subnet is reachable via port1.

ACTIVE # show system interface port1 <-
config system interface
edit port1
set ip 172.16.0.1 255.255.255.0 <- Port1 IP.

next
end

ACTIVE # dia sniffer packet any host 172.16.0.254 and port 22 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.0.254 and port 22]
2023-07-17 11:16:01.318695 port1 out 172.16.0.1.16277 -> 172.16.0.254.22: syn 875964100
2023-07-17 11:16:01.319510 port1 in 172.16.0.254.22 -> 172.16.0.1.16277: syn 1141527845 ack 875964101
2023-07-17 11:16:01.319525 port1 out 172.16.0.1.16277 -> 172.16.0.254.22: ack 1141527846

It is possible to set the source interface and source IP to force using a specific set option while initiating the communication.

ACTIVE # exe ssh-options
interface Auto | <outgoing interface>.
reset <- Reset settings.
source Auto | <source interface IP>.
view-settings <-View the current settings for the SSH option.

If the SSH server IP is reachable via a logical interface like a tunnel, FortiGate uses the lowest index interface IP as the source.

This will cause an issue if the same IP is not part of the phase2 selector or is not routable in a remote peer network.

In this case, it is necessary to set the source IP in ssh-options to SSH to a remote server connected via tunnel. The solution is to set source ip while doing SSH.

ACTIVE # exe ssh-options source 10.0.0.1

ACTIVE # exe ssh admin@10.172.0.254

ACTIVE # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 10.172.0.0/24 [10/0] via tunnel1 tunnel 172.16.0.254, [1/0]

ACTIVE # get vpn ipsec tunnel name tunnel1

gateway
name: 'tunnel1'
local-gateway: 172.16.0.1:0 (static)
remote-gateway: 172.16.0.254:0 (static)
.

.

.
selectors
name: 'tunnel1'
auto-negotiate: disable
mode: tunnel
src: 0:10.0.0.0/255.255.255.0:0 <-
dst: 0:10.172.0.0/255.255.255.0:0 <-

ACTIVE # dia sniffer packet any "host 10.172.0.1" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.172.0.1]
2023-07-17 11:32:46.119074 tunnel1 out 10.0.0.1.23782 -> 10.172.0.1.22: syn 1941065859

Related article:
Error when SSH from FortiGate