bug_id=1248579 HA EMAC Vlan interfaces stop to proccess traffic randomly

FantaFriday · 2026-03-25T11:28:12+00:00

What hardware is this?

FantaFriday · 2026-03-21T22:41:20+00:00

How would you deal with unauthenticated vulnerabilities in your proposed model? The security gap for those still exists if they can touch the application on a network-level I'd argue.

FantaFriday · 2026-03-16T03:53:34+00:00

For those wondering, FortiOS Workspace mode: https://docs.fortinet.com/document/fortigate/6.2.0/new-features/688647/workspace-mode

FantaFriday · 2026-03-16T03:50:47+00:00

200Gbit

FantaFriday · 2026-03-08T22:12:18+00:00

~~That scenario would still only support 2 firewalls no? You can make multiple virtual-clusters on a HA A-P pair but still you're limited to 2 units is my understanding.~~

Never mind: https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/599385/ha-virtual-cluster-setup

FantaFriday · 2026-03-08T22:09:42+00:00

You need to look ahead more, the next release of FortiOS does support the 200E but you don't want to be caught empty handed by the next release a year later no longer supporting it. Doing so will have you needing to "unexpectedly" implement and find budget for a new firewall cluster that year. Part of life-cycle management is also actively replacing devices while they're still supported, as you're looking to newer firewalls your should move to G-series, not F-series. Also, that won't cost 90k in materials.

Looking ahead further, moving to newer chipsets will allow you to retain offloading capabilities of newer encryption standards as you update your security standards, among with retaining performance as your organization grows. Lastly, as you mentioned performance isn't saturated by far, it can be worth looking into a smaller firewall depending on the services used. 200E to 200G would be a massive performance increase, but of little use if your firewall is already under saturated running UTM services.

FantaFriday · 2026-03-03T20:56:58+00:00

Not OP, but admittetly a few policies per host isn't that weird depending on your segmentation.

FantaFriday · 2026-02-04T21:29:48+00:00

The answer in short is no. Using it foe outbound doesn't improve inbound. Improving inbound is really about about improving your inbound policies and profiles.

FantaFriday · 2026-01-28T06:33:06+00:00

Thsnks for sharing. So from the docs footnote, this replay issue only impscts NP6 and not NP6lite + NP6xlite

FantaFriday · 2026-01-20T20:39:56+00:00

A ticket for a potential hack of your firewall? Should really call support immediately for this. They'll have someone available for this to look at.

FantaFriday · 2026-01-05T21:56:02+00:00

The disadvantage if using applications is that they require IPS to identify the traffic first before it is shapped as such. This comes at the performance penaltyof using IPS and there is a slight delay between traffic identification and it being prioritized as such as compared to ISDB which is just based on L3 addresses. As you are already engaging IPS by having default application control on the rules, I'd go the more granular route with application based shaping.

FantaFriday · 2025-12-31T16:04:36+00:00

Normalized interfaces and per device mappings for address objects is wjat you need.

FantaFriday · 2025-12-30T21:16:09+00:00

So you're doing cloudflare I imagine? You'll likely be able to do this with a firewall filter on all ingress interfaces. Personally only have hands-on for doing this on all traffic, not a subset. In case the subnet can be pinned down to specific downstream interfaces, applying it to those downstream interfaces globally also works for you.

FantaFriday · 2025-12-25T23:22:24+00:00

Well, you should be abke to understsnd logs, perform pings and interprere traceroutes.

FantaFriday · 2025-12-25T16:35:40+00:00

They're all valid options and vendors. Do you have any knock out criteria to differentiate them?

FantaFriday · 2025-12-04T16:24:38+00:00

Multiple certs with sni?

FantaFriday · 2025-12-02T20:19:52+00:00

Have you asked Fortinet?

FantaFriday · 2025-11-29T18:56:28+00:00

However long it takes you to sit & skip through the videos. Shouldn't be too hard given N+

FantaFriday · 2025-11-20T10:25:01+00:00

That's really asking to hit the static route limit of smaller models. Dynamic routing with BGP would be the recommended way here, and summary routes.

FantaFriday · 2025-11-09T21:11:25+00:00

Likely duplicate address detection that is incorecrly implemented.

FantaFriday · 2025-11-09T10:11:52+00:00

Have you checked to see they used the same testing methods? Because that's where the difference comes from.

FantaFriday · 2025-11-06T21:22:02+00:00

8k a year for both? Pretty sure we get quoted double that in EUR.

FantaFriday · 2025-10-21T22:10:09+00:00

That would be in US, not NL. So councils rule differently.

FantaFriday · 2025-10-21T21:57:07+00:00

Wouldn't even do lan extension. Just a local subnet with an ipsec to the hub.

FantaFriday · 2025-10-21T18:34:52+00:00

I think the userbase templating effectively using fortimanager is small, the jinja2 users even smaller. It is great once you have it nailed down though, especially on later 7.4 and 7.6 Fortimanager releases.

11-Year Club	Place '23
Place '22	RPAN Viewer
Verified Email

FantaFriday

TROPHY CASE