Description | This article describes how to use FortiGate as an SSH client to log in and access another host device. |
Scope | FortiGate. |
Solution |
Login to the FortiGate CLI console or through Putty using SSH or Telnet.
Use the below command syntax to log in to FortiGate.
execute ssh <user@host> [port]
Example:
exe ssh admin@172.16.0.254
In case, the SSH server is using customer port number (2202), then, it is necessary to execute the command as shown below:
exe ssh admin@172.16.0.254 2202
By default, FortiGate will check the routing table for the SSH server IP and select the egress interfaces IP as a source IP to connect the server.
ACTIVE # exe ssh admin@172.16.0.254
ACTIVE # ACTIVEuter info routing-table details 172.16.0.254 Routing table for VRF=0
ACTIVE # show system interface port1 <- next
ACTIVE # dia sniffer packet any host 172.16.0.254 and port 22 4 0 l
It is possible to set the source interface and source IP to force using a specific set option while initiating the communication.
ACTIVE # exe ssh-options
If the SSH server IP is reachable via a logical interface like a tunnel, FortiGate uses the lowest index interface IP as the source. This will cause an issue if the same IP is not part of the phase2 selector or is not routable in a remote peer network.
In this case, it is necessary to set the source IP in ssh-options to SSH to a remote server connected via tunnel. The solution is to set source ip while doing SSH.
ACTIVE # exe ssh-options source 10.0.0.1 ACTIVE # exe ssh admin@10.172.0.254
ACTIVE # get router info routing-table database Routing table for VRF=0
ACTIVE # get vpn ipsec tunnel name tunnel1 gateway . .
ACTIVE # dia sniffer packet any "host 10.172.0.1" 4 0 l
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.