Accessing FortiGate's Web Interface in EVE-NG: A Practical Guide
.
Accessing the graphical interface of a FortiGate virtual firewall within the EVE-NG network emulator is a common hurdle for network engineers. While the process is straightforward, it requires precise initial configuration through the command line and correct network setup. This guide synthesizes the essential steps from community resources and official documentation to provide a clear path to success.
The core challenge involves two phases. First, the FortiGate KVM image must be correctly added to the EVE-NG platform. Second, network connectivity must be established from the host machine to the virtual appliance's management port. Official EVE-NG documentation provides strict guidelines for preparing and installing Fortinet images, a critical prerequisite often overlooked. Once the node is running, the method for obtaining its IP address—either via DHCP or static assignment—determines how you connect. Network Reverse, a technical blog, outlines both approaches with specific command-line instructions that are vital for initial access.
EVE-NG's official "how-to" specifies: "Per our image naming table we have to create image folder starting with
fortinet-." The procedure requires uploading the downloaded KVM image, unpacking it, renaming the primary disk file tovirtioa.qcow2, and fixing file permissions.
Following the correct image installation, the FortiGate virtual machine can be added to a lab. The appliance must be connected to a Management (Cloud0) network object, which bridges the virtual lab to the host machine's physical network. Without this connection, no communication path exists for the web interface. Engineers must start the node and access its CLI console to proceed with IP configuration. The initial username is "admin" with no password, but the system immediately prompts for a new password to be set.
A step-by-step guide from Network Reverse advises: "Type this command to find out the IP addresses of Fortigate interfaces:
show system interface ?" This command reveals whether the connected port has received a DHCP address, which is the fastest way to gain initial access.
Two Methods for Network Configuration
Access to the FortiGate GUI hinges on configuring an IP address on the interface connected to the management network. The two primary methods offer different advantages.
Using DHCP (Dynamic) This is often the simplest method for quick lab access. If the host system or underlying VMware/Proxmox environment has a DHCP server active on its NAT network, the FortiGate's port1 will automatically obtain an address. The show system interface ? command in the CLI lists all interfaces and their assigned IPs. Engineers can then open a web browser and navigate directly to http://[assigned-IP-address]. This method requires no manual configuration but depends on a functioning DHCP service.
Using a Static IP For consistent, controlled access, a static IP is preferred. The process involves entering the interface configuration mode in the CLI.
config system interface edit port1 set mode static set ip 192.168.70.70/24 end These commands assign a static address to port1. The end command is crucial; it commits the configuration changes. After assignment, a ping test from the host computer to the FortiGate's new IP confirms basic connectivity before attempting web access.
Troubleshooting Common Access Issues
When the GUI fails to load, the problem usually lies in one of three areas: network reachability, service permissions, or client-side settings. First, verify basic IP connectivity. Use the ping command from your host to the FortiGate's management IP. Failure here indicates a network path problem, possibly an incorrect Cloud0 connection or host firewall blocking traffic.
Second, confirm the management protocol is allowed on the interface. The default FortiGate configuration only permits management access (HTTPS, HTTP, SSH) on port1. If using a different port, you must explicitly add set allowaccess http https to its configuration. Third, clear your web browser's cache and ensure JavaScript is enabled. Modern FortiOS interfaces rely heavily on JavaScript; disabling it in the browser will prevent the login page from functioning correctly.
Frequently Asked Questions (FAQ)
How do I properly add a FortiGate KVM image to EVE-NG? The EVE-NG documentation mandates a specific folder structure and file naming convention. You must create a directory under /opt/unetlab/addons/qemu/ with a name starting with "fortinet-", such as fortinet-FGT-v6-build1010. After uploading and unzipping the Fortinet-provided KVM file, rename the primary disk image to virtioa.qcow2. Finally, run the permissions fix wrapper: /opt/unetlab/wrappers/unl_wrapper -a fixpermissions.
Why can't I reach the FortiGate GUI after assigning an IP address? Check three common issues. First, ensure you typed end to commit the interface configuration in the CLI—changes are not saved without it. Second, run show system interface port1 to confirm the IP is listed and the status is "up." Third, verify that your host machine is on the same IP subnet as the FortiGate's management port. A simple ping test diagnoses this.
What are the default login credentials for a new FortiGate VM? The initial username is admin. There is no default password. Upon first login via the CLI console, the system will force you to create a new password immediately. This password will then be required for both CLI and web GUI access.
Can I use any port for management access in the lab? Only if you configure it. The default factory configuration includes the line set allowaccess ping https ssh http fgfm only for port1. To enable web access on another port, you must edit that interface's configuration in the CLI and add set allowaccess http https to its settings. This is a critical step often missed when designing multi-interface lab topologies.
My browser shows a blank page or error for the FortiGate IP. What should I do? Attempt access using an HTTPS connection (https://[ip-address]). Some FortiOS versions default to HTTPS only. If that fails, try a different browser, clear your cache, or disable browser extensions temporarily. Also, confirm that your host is not using a proxy that could be blocking local IP addresses.
Following these structured steps—correct image installation, proper lab wiring, and deliberate IP configuration—ensures reliable access to the FortiGate web interface within EVE-NG. This access unlocks the full visual management potential of the firewall for lab testing and training.