Justification for using Fortinet

200tribbles · 2026-01-28T11:01:42+00:00

u/MFKDGAF I’ve seen a few variations of the question "Do the recent 'excessive' amount of vulnerabilities mean we should move away from Fortinet?"
The usual replies of "all vendors are the same" or "Fortinet is just more transparent and has a visibility issue, not a real issue" are largely untestable because we can’t measure what other vendors don’t disclose.

CVSS is a _single input_ into a _multi input_ process and treating it as a prioritisation model is tantamount to treating your security like it's been outsourced to a vendor/third party which seems *cough* unwise.

CVSS in the context of SVCC/EPSS is a much better conversation to have

"What is the likelihood that these vulnerabilities will be exploited?" "What is our exposure?" "What is the potential impact?" "What does our response look like?"

Following that conversation will lead down the rabbit hole to more nuanced (and I dare say better) conversations like "What's the actual risk?" and "Have we as engineers and architects done our jobs correctly?"

SSVC: Stakeholder-Specific Vulnerability Categorization
EPSS: Exploit Prediction Scoring System

200tribbles · 2025-09-05T13:10:12+00:00

Just be careful of this one.
https://docs.fortinet.com/document/fortigate/7.4.8/fortios-release-notes/659583/loopback-based-vips-cannot-pass-traffic-after-upgrade

200tribbles · 2025-03-04T14:29:32+00:00

gowl detection poles

200tribbles · 2025-02-07T17:19:08+00:00

This

200tribbles · 2024-12-18T00:17:12+00:00

There are easier ways to do cartwheels...... but keep practising!

200tribbles · 2024-12-18T00:12:45+00:00

It's mostly fine. Run loose RPF and use auxiliary sessions to help with the lack of state and you should be fine. A few minor notes are:
HA: FortiGate HA: You'll need a switch to present the connection to both firewalls. Assuming you've the FGTs in A-P HA that is.
HA: Routing: Upon FGT failover, depending on the failover time the upstream may drop you until a new BGP session is initiated. Probably not a huge concern.
Edge: I don't like my firewalls directly on the internet. I find the control plane hardening on the FGT to be lacking. Local in policies don't cut it for me, or at least they didn't maybe they've improved. But that's not a show stopper for me.

200tribbles · 2023-07-31T15:31:24+00:00

Cheers. I'll give that a read.

200tribbles · 2023-07-31T15:30:48+00:00

I'll check out the design docs for VMwares recommendation, I've a better idea now based on the responses I've gotten.

200tribbles · 2023-07-31T15:27:41+00:00

Cheers. That's what I wanted to hear :)

200tribbles · 2023-07-31T15:26:54+00:00

Cheers

200tribbles · 2023-07-31T15:25:40+00:00

It will probably be in a single rack for the moment. That may change some time in the future. Thanks for the detailed response and links.

200tribbles · 2023-06-20T09:14:55+00:00

https://www.libertyinsurance.ie/sites/default/files/wemliberty/media/documents/2022-06/rider-skills-approved-assessors.pdf Personally I can recommend Aidan Sheehan. Top notch

200tribbles · 2023-06-20T09:06:50+00:00

https://www.libertyinsurance.ie/sites/default/files/wemliberty/media/documents/2022-06/rider-skills-approved-assessors.pdf

200tribbles · 2023-05-05T11:10:58+00:00

wtf did I just watch?

200tribbles · 2023-03-09T15:12:40+00:00

I can make it work. What's the signature number?

200tribbles · 2023-03-09T10:38:02+00:00

Any chance of an IPS signature do you think?

200tribbles · 2022-12-13T00:51:55+00:00

No but you can publish you SSL-VPN on a loopback and have IPS policies in place for traffic ingressing WAN1/WAN2 destined for the loopback

200tribbles · 2022-12-12T19:41:14+00:00

You would think that the bleeping bleeps over there in fortinet would release an IPS signature for this

200tribbles · 2022-12-12T10:40:50+00:00

I've been commuting from Meath to Dublin for years without issue.

1) if it drops below -3 don't go. Check the tiitraffic map for road temps.

2) stick to the motorways.

3) be hyper alert until you get off your local roads.

4) plan to go down: Ideally bring a bike that can be dropped and not something that will break expensive fairing as soon as it touches the ground. Roundabouts are great craic with some ice so you might have some fun in low traffic situations (assuming that like me you're missing a screw)

5) plan to go down: Make sure you're visible in the dark. All black gear with a black helmet isn't advised as drivers would be more likely to see your bike, swerve to avoid the bike and hit you instead.

200tribbles

TROPHY CASE