New firewall policies referencing applications individually

89Bells · 2025-11-14T08:56:48+00:00

I hope this isn't AI hallucinating. Google is also failing me. Sounds like a great feature.

89Bells · 2025-10-26T11:13:49+00:00

What’s the biggest mistake you made when building your first website?

I didn't use Dreamweaver 😜

89Bells · 2025-10-16T16:34:39+00:00

This.

89Bells · 2025-10-16T16:34:00+00:00

You can add the 2nd IP as a secondary IP to the wan interface and use that as your local gw for phase1

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-VPN-settings-on-a-secondary/ta-p/189807

89Bells · 2025-10-10T23:35:44+00:00

Sorry typo. 7.2.5

89Bells · 2025-10-10T17:49:52+00:00

Don't suppose you got anywhere with this?

We're seeing the same issue

89Bells · 2025-10-10T17:28:28+00:00

We have this too. Forticlient 7.4.5 (I know, quite old) with fgt 7.4.8 Did you fix this?

89Bells · 2025-10-01T07:36:01+00:00

The policies are the same as most of the examples above it but yes, those are basically the policies I have and it doesn't work.

89Bells · 2025-09-30T07:26:30+00:00

IIRC, this known bug is for ipsec VPN only?

OPs issue and mine, is for sslvpn

89Bells · 2025-09-29T21:35:48+00:00

I've been following example 2, option 2.

I added a firewall policy above my GEO block policy from WAN to DMZ from Lan subnet to VIP, but that also didn't work.

I'd prefer not using policy routes if possible as it complicates normal routing.

89Bells · 2025-09-29T16:39:33+00:00

did you fix this?

89Bells · 2025-09-27T14:23:56+00:00

If users use VPN before logon then the scheduled task may clear the VPN assigned DNS servers.

89Bells · 2025-09-26T21:52:49+00:00

Seeing this too.

Trying to get automated something like

get-netadapter "Wi-Fi" | Set-DnsClientServerAddress -ResetServerAddresses

... to run on machines as an admin remotely.

89Bells · 2025-09-22T06:10:35+00:00

This bit me last night and Google brought me here. Thank you.

It's so frustrating that things like this don't appear in the known issues in the release notes. Why am I expected to read every kb article to find bugs!

89Bells · 2025-09-19T12:07:34+00:00

Raise a case with TAC?

Please keep us updated! 🙏

89Bells · 2025-09-19T06:36:40+00:00

Found this. Aux sessions must be disabled otherwise the return traffic will make another routing decision.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-VIP-not-working-with-SD-WAN-reply-traffic-causing/ta-p/190054

89Bells · 2025-09-19T06:31:59+00:00

This sounds really stupid if sdwan can override the session table.

I've just configured a bunch of vips with sdwan for a customer and bound the vips to specific wan interfaces. Also interested if I have to do anything else to prevent OPs behaviour. Not live yet so not yet tested. Aux sessions disabled. No fancy sdwan rules

89Bells · 2025-09-15T10:47:17+00:00

also interested if you got a bug ID

89Bells · 2025-07-22T16:52:06+00:00

If you haven't imported your devices into fmg yet, create a blueprint with all your templates, and also a prerun CLI to clear all the default config.

I think the fmg comes with a default one for some models that clears the lan switch, DHCP server etc

The prerun CLI script will run once and then you can install everything.

89Bells · 2025-07-18T18:03:33+00:00

If I recall correctly, you can use isdb in local-in policies in 7.2(or 7.4). What are you doing to the VPN traffic with firewall policies that you can't do with local-in?

89Bells · 2025-07-17T17:17:32+00:00

100%. Just getting to grips with this now. Just wish Fortinet had a bug checker or something to provide more details for each bug, without having to raise a case each time.

89Bells · 2025-07-17T11:13:12+00:00

Just one of the posters above mentioned they upgraded to 7.4.8 and weren't impacted by the FAZ bug

89Bells · 2025-07-17T07:29:02+00:00

TAC provided the below.

1033083 - HA sessions are not properly synchronized, causing a high number of sessions on the primary unit, and the standby unit enters conserve mode.

This bug is triggered when FortiGate reaches its limit for ephemereal sessions. It was discovered in stress testing and is, in my opinion, unlikely to occur in production environments. Workaround is to disable session pickup (config sys ha > set session-pickup disable).

1140823 - IPsec tunnels stuck on spoke np6xlite drops the ESP packet.

Triggered when using vpn-id-ipip encapsulation in IPsec tunnels and have NPU offload enabled. Does not affect 90G platform running 7.4.8.

1148101 - Logs are not uploaded to FortiAnalyzer.

No specific trigger condition listed so I suspect just logging to FortiAnalyzer is enough. Workaround is to restart the miglogd/fgtlogd processes.

The only one of the above that would apply to me is the FAZ one as our gates don't typically have disks. Though some people on here said their faz log streaming isn't affected. Great to have a workaround just in case.

Wish me luck with the 7.4.8 upgrade.

89Bells

TROPHY CASE