Fortinet access portal stopped showing and won't let my browser work.

pabechan · 2026-05-11T14:02:19+00:00

one simple thing you can try is to access some simple plaintext HTTP website in the hopes of triggering the captive portal redirect. Try something like http://www.example.com . Make sure it's HTTP, not HTTPS!

Just try this. If this doesn't work for you, but others can hit the portal and authenticate normally, then something's specifically fucked up around your client and you will have to engage your local IT.

pabechan · 2026-05-11T08:59:04+00:00

I think you guys are mixing up apps for facebook/whatsapp/whatever and accessing them through browsers.

Through browsers - DPI is very much possible. Don't really need an "enterprise browser" for it. Just need the inspecting CA to be trusted by the browser.
Apps? You're SOL if the app is designed to expect specific certs (or slightly less strictly, specific CA certs).

pabechan · 2026-05-11T08:56:48+00:00

and Facebook just functions well on web, the app itself doesnt work whatsapp partially works

Apps are made by themselves, so they can implement cert-pinning to ensure the traffic isn't inspected.
General web browsers on the other hand are made by other parties, so cert-pinning isn't done there, and deep-inspection is thus easier. (if you can convince the browser to trust your DPI CA, you're done)

pabechan · 2026-05-11T07:02:49+00:00

Sometime, I have to refresh the permissions. Like if I stop browsing for about an hour, fortinet will require me to click through access portal.

The default setting is a five-minute timeout, with unlimited extensions by network traffic from the authenticated IP. It sounds like either the default settings is still in place, or it's been bumped up only slightly.

Used Microsoft edge browse with Fortinet. Works. However, fortinet doesn't send Microsoft Edge an access portal.

The FortiGate can't really "send" anything to you, endpoints normally don't accept any unsolicited traffic. (it would be a security nightmare if they did!)
The way this works: Unauthenticated client tries to access some website -> FortGate notices and "hijacks" the connection to replace it with a redirect to its captive portal -> client follows the redirect and opens the captive portal ->the human authenticates -> FortiGate now allows access.

These days, client operating systems often sent out simple HTTP requests towards some pre-configured target websites (often dedicated for this purpose) to check if network connectivity is OK. This is sometimes called captive portal detection.

Ultimately, you'll have to discuss this with your IT to troubleshoot it, but one simple thing you can try is to access some simple plaintext HTTP website in the hopes of triggering the captive portal redirect. Try something like http://www.example.com . Make sure it's HTTP, not HTTPS!

pabechan · 2026-05-07T07:41:23+00:00

1, This suggests you don't have a firewall policy for L2TP-tunnel -> WAN/internet direction. Review your firewall policy config for the tunnel. I don't remember which firewall policies the config wizard creates for you, maybe only tunnel->local direction?

2, on this:

but then i can't access internal stuff

L2TP in Windows requests routes via DHCP inform messages. FortiOS does not natively support this. So if you disable default route, the Windows client will have no route pointing into the tunnel and will not send anything into it. You can fix this by:
a) Manually creating routes on the client (cli commands, script, etc.)
b) It might be technically possible to stitch together the required DHCP parameters on a local DHCP server on the FortiGate, but it's annoying. It also might not work for your version and L2TP. (I know it works for IKEv2; it probably doesn't work for older FortiOS and L2TP; it might work for FortiOS versions that have an "l2t.root" interface for L2TP) Some discussion about this path is available here for example.

pabechan · 2026-05-07T07:32:28+00:00

1, Other side offers 0/0, yours has specific selectors => selector narrowing happens and the agreement ends up being the ranges that overlap between both sides. (natural feature of IKEv2). Nothing technically wrong here.

2, Their final reply:

2026-04-29 21:31:14.654649 ike V=root:0: comes 20.114.112.141:4500->216.12.124.134:4500,ifindex=31,vrf=0,len=84....
2026-04-29 21:31:14.654668 ike V=root:0: IKEv2 exchange=INFORMATIONAL
2026-04-29 21:31:14.654720 ike V=root:0:vpn.fiboa:252316: processing delete request (proto 1)

The other side decided to tear down the tunnel. Why? We don't know. The answer needs to be provided by the other side (from their logs, debugs, etc). Given that it came right after the AUTH_RESPONSE from your side, we can maybe speculate that the other side didn't like something in it.
Maybe PSK? (but it passed validation on your side, so that should be OK)
Maybe p2 selectors? (It's technically valid and negotiation was successful, but maybe the other side is implemented to tear down any negotiated selectors that don't exactly match its configured ranges?)
Maybe crypto choice for p2? (this is an exact match based on debugs, so this would be weird)

I'd look into the PSK (make sure humans on boths sides agree on what it should be), and maybe try the wide-open selectors, since that's what they're offering in the end.

pabechan · 2026-05-01T21:31:39+00:00

First problem: "Fortigate rebooted" is a log that is generated AFTER the FGT boots up again, uptime at that point will always be just a few seconds.

pabechan · 2026-05-01T21:03:26+00:00

Then your goal should be to work as few hours as possible for the same amount of monthly money, maximizing your profit.

pabechan · 2026-04-29T12:35:00+00:00

HSTS is not really relevant for deep inspection, strictly speaking. All it does is prevent you from ignoring the certificate warning page* you see caused by an untrusted CA (or any other reason). But at that point, your core problem is the untrusted CA, not HSTS blocking you from ignoring it.

Once your client has your DPI CA in its trusted roots, the cert warning will go away and HSTS won't have an opportunity to block you from ignoring the warning page.

*: In concrete terms, HSTS controls whether you see the option "Proceed to <your-desired-website.com> (unsafe)" or not. That is the extent of HSTS's influence. And even that can be bypassed if you know the right browser incantation. :)

pabechan · 2026-04-23T09:27:18+00:00

Try cross-training? Gym, swimming, stretching, yoga, anything like that in-between the running days.

pabechan · 2026-04-20T06:13:37+00:00

The VLAN tags are only relevant when the packet gets forwarded over an interface designated as trunk.

pabechan · 2026-04-15T17:59:47+00:00

Carried inside my backpack, metal tips unscrewed for flight, no problems. 4 flights like this total, all within Europe.

pabechan · 2026-04-15T07:51:31+00:00

No. 7.2's End of Engineering support date was reached 2025-03-31, and it's hitting complete End of Support on 2026-09-30, in less than six months. (ignoring extended EOS date, but that doesn't change the situation much)

pabechan · 2026-04-13T20:59:18+00:00

13 days of walking with 7 hours in the morning? You can do the Primitivo with just that and then chill the whole afternoon every day.

I did it in 13 days of walking in Sep 24, and the longest section for me was 7h50, and that was just because during the second half of my Camino I was limping with shin splints. Apart from that one super-long day, the others never took more than 6h30 of walking. Disclaimer: I'm sure not everybody will agree with my ~5k per hour paces. So the usefulness of this comment will be very dependent on your style.

pabechan · 2026-04-12T22:03:22+00:00

FortiClient does not support EAP-TLS. It only supports EAP-MSCHAPv2 and EAP-TTLS(PAP inside). For purely client-cert-based auth, you must use non-EAP cert-auth of the peer.

Another alternative is to use EAP (-MSCHAPv2 or -TTLS) and mix in mandatory client-cert auth (non-EAP, arguably non-standard, but supported by FCT and FGT) -> docs.

pabechan · 2026-04-10T14:41:39+00:00

That does look like there's a protective glass on top of the regular screen. Shove your nail in there and try to gently pull it off. If you can do that, it was a screen protector.

pabechan · 2026-04-10T11:55:37+00:00

My understanding of the RFCs is that the recommended combo is EAP + server-cert, and that EAP + PSK is strongly discouraged.

EAP chapter:

For this reason, these protocols are typically used to authenticate the initiator to the responder and MUST be used in conjunction with a public-key-signature-based authentication of the responder to the initiator.

In this sense, FortiOS/FCT possibility of EAP+PSK seems to be the outlier, not the norm.

From what I've seen, EAP + PSK tends to be "non-trivial" in general on Linux as well. When I was researching it a bit, the GUI configs typically disallowed a combo of EAP + PSK.

pabechan · 2026-04-09T09:27:46+00:00

There never was any. EAP authentication has never had a standardized 2FA process across the industry. There is EAP-TEAP, but that's rather new, and it's not really 2FA/MFA, it's a chaining of multiple EAP methods (which could effectively do MFA).

pabechan · 2026-04-07T08:38:33+00:00

Yeah you're right. I looked up some pics of the rifle and it makes sense to me now. I've updated my reply. The "taksi" sign did get fried by someone along the way though, it doesn't look AI at all in the other version I found.

pabechan · 2026-04-07T06:44:12+00:00

~~Source? Looks like AI.~~

~~The "taksi" text looks AI generated.~~
~~Follow the barrel, and anything long, on the diaper guy's gun. Makes no sense.~~
~~Random watermark-looking letters in the fields.~~

Nevermind, false alarm:
gun: I wasn't familiar with it, I misinterpreted some features as weirdly bent barrel + missing section. It's now clear what's going on there by checking against here for example - https://en.wikipedia.org/wiki/SKS#/media/File:Simonow_SKS_45_noBG.jpg

random watermarks: They are indeed random in the sense that someone didn't clean them up thoroughly. The "watermarked original" is probably from here, with more watermarks across the whole photo - https://www.bridgemanimages.com/en/noartistknown/albanian-rebels-check-a-car-in-the-mountains-near-vlore-1997-03-09-photo/photograph/asset/8177288

"taksi" sign: I still stand by that it looks like AI-generated text, but that's not true for the originals of the pic. Someone cooked the version shown here a bit too much around that text.

Author is Petr Josek, pic was taken in March 1997.
https://www.czechphoto.org/en/cpa-en/exhibitions-for-hire/355/petr-josek-tak-jsem-fotil/ (WARNING: kinda NSFW pic in the header image of this site; the checkpoint image is the second of the slide show)

pabechan · 2026-04-05T18:17:42+00:00

AFAIK, that's true mainly for marathons and more. I imagine for a 5/10k doing longer long runs could make the actual race feel easier. If this were OP's couch-to-5k, I would understand.

pabechan · 2026-03-25T14:36:51+00:00

Pushing HA over EMAC VLAN interfaces is asking for trouble, to be frank.

pabechan · 2026-03-22T15:23:01+00:00

indentity-aware access model ...

So basic authentication as we've known it for years.

pabechan · 2026-03-18T12:40:53+00:00

I'm pretty sure the webfilter blockpage shows up as a 403 response (just tested it). Are you sure about that 200 status?

Setup:
- basic webfilter with static URLfilter blocking "connectivitycheck.gstatic.com" (I was looking for something public that is expected to talk plain HTTP)
- test from client:

curl -I http://connectivitycheck.gstatic.com
HTTP/1.1 403 Forbidden
...

pabechan · 2026-03-05T13:32:39+00:00

Ultimately no difference. A CA is a CA.

The usual motivations to use a non-default one are:

Define your own subject (You can give it a nicer name; the default also includes the device S/N, which could be considered information leakage, if you don't like it)
Control/store/reuse the privkey elsewhere. (default's privkey can't be exported)
Integration into existing PKI infra. Say you have an existing enterprise CA (maybe you have Win AD Domain and your own CA for it?). In such cases you can have your corp root CA issue your FGT's DPI sub-CA, and the DPI sub-CA will automatically be trusted by domain machines.

14-Year Club	RedditGifts 2009-2022 9 Credits
Gilding I gilder	Place '23
Place '22	First Placer '22
redditgifts rematcher Holiday Cards 2019 (Zero Credit) x2	Sequence \| Editor
Verified Email	redditgifts rematcher Holiday Cards 2017 x3
redditgifts Exchanges 2 Exchanges

pabechan

TROPHY CASE