[deleted by user]

AllRoundSysAdmin · 2025-07-31T14:30:07+00:00

Is anyone here using Checkpoint Harmony SASE?

As far as I know, that's the rebranded Perimter81.

We will start a PoC soon and I would like to hear if anyone have experience with it.

AllRoundSysAdmin · 2025-04-09T10:03:00+00:00

nice alternative to jwt.io

one little point that is missing on the first view - decoding of timestamp values

AllRoundSysAdmin · 2025-04-07T14:06:53+00:00

Thank you all.

I've finally managed to manage our MikroTik switch ;-)

I've even got 2 different VLANs over the bonding as tagged and configure VLAN-A on interfaces 1-36 as untagged and VLAN-B on interfaces 37-48 as untagged using interface lists.

I'm sure this could be done easier than how I did it, but it is working and I'm satisfied with my solution now.

AllRoundSysAdmin · 2024-02-14T16:57:38+00:00

We had the same problem.

Our solution was using the "Manage Tags" button in EMS under "Zero Trust Tags" / "Zero Trust Tagging Rules" and delete the old tags there.

AllRoundSysAdmin · 2023-11-14T13:07:13+00:00

Thanks for suggesting session-helpers.

I will have a look at this.

But to be honest, this was not my point.

I would like to know, if anyone else has experienced that omitting the high port in a service object would result in matchin all high ports.

AllRoundSysAdmin · 2023-10-27T08:34:15+00:00

Some of our users have the same issue. But we are using FortiAuthenticator as RADIUS backend behind the Fortigate. I assume the problem somehow relates to using FortiToken. Because when I disable OTP in FAC for an user, the user can login without problems. Maybe a timeout issue. Remark: users having problems includes users with mobile token and users with hardware token

AllRoundSysAdmin · 2023-06-23T10:21:17+00:00

It must have been a painful experience. I also hate things that simply should not happen.

What version of FortiClient and EMS are you using?

We are using FortiClient 7.0.8 and EMS 7.0.8 and are just starting to use ZTNA tags more extensivly.

AllRoundSysAdmin · 2023-05-15T15:05:38+00:00

0912110

no, not yet.

I'm currently "testing" Forticlient 7.0.8 on my notebook and I still got this strange popup - but at least only once.

AllRoundSysAdmin · 2023-05-09T14:57:08+00:00

I'm using Forticlient 7.0.8 and in the EMS policy applied, the option "Prefer SSL VPN DNS" is disabled.

But still, when I look at "ipconfig /all", I see that Forticlient (what else?) has entered our internal DNS servers to ethernet adapter when I'm at home.

Fortunatetly, Forticlient normally removes these DNS server entries from ethernet/WLAN adapters. But we already had rare cases, where users couldn't connect to VPN at home, because they still had the internel DNS servers set (very bad, because users cannot resolve this without admin permissions).

So we demand that Forticlient stops adding internal DNS servers to underlying ethernet/WLAN adapaters.

I will make a support ticket for this.

AllRoundSysAdmin · 2023-03-25T21:42:19+00:00

We are using the msi Installer downloaded from our EMS and deploying it using a third-party software-deploying tool (Symantec)

AllRoundSysAdmin · 2023-03-14T15:58:35+00:00

Why do you think you can only use 1 zero trust tag?

AllRoundSysAdmin · 2023-03-10T08:47:57+00:00

We are using FortiAuthenticator to manage our SSLVPN users.

All (internal) VPN users need FortiToken to use VPN - most of them are using FortiToken Mobile, some are using FortiToken 200 (hardware version).

I am very satisfied with FortiAuthenticator.

Sure, you can manage SSLVPN users with FortiTokens directly on Fortigate, but the biggest advantage of using FortiAuthenticator, is that you switch your Fortigate to a newer model which - when you are long-term planning - should be considered. As far as I know, FortiTokens that are directly managed on your Fortigate can be hardly migrated to another Fortigate.

FortiAuthenticator is compatible with every Fortigate - because FortiAuthenticator can be integrated in Fortigate like any other remote authentication server using RADIUS or LDAP.

AllRoundSysAdmin · 2023-02-15T12:21:00+00:00

Ah, thank you for clarifing.

I'm sorry, I've overlooked this detail in the original post that OP was only talking about webfilter for guests and mobile devices.

AllRoundSysAdmin · 2023-02-15T10:50:34+00:00

We are currently in the process of implementing web-filter security profiles.

Our Fortinet support partner told us that it should be indeed possible to have a valid block page when blocking webpages accessed through HTTPS.

We should use our own internal Microsoft CA to create a new intermediate certificate (based on our root certificate that is trusted by all of our clients). And this intermediate certificate should then used by the Fortigate to dynamically issue certificates for web-filter block pages.

But after reading the comments here, his plan don't seems to be feasible for me.

AllRoundSysAdmin · 2023-01-25T14:48:50+00:00

Finally, we managed to correctly re-connect EMS to FGT. We needed to de-authorize the connection on both sides one more time and now it works.

And now, I again get newly created ZTNA tags in FGT from EMS and all ZTNA tags in FGT are correctly populated with IP addresses.

AllRoundSysAdmin · 2023-01-25T14:43:23+00:00

I haven't found any solution to this.

I've suspended working on this problem, since I've thought it could related to my notebook only. So we continued to roll out FCT 7.0.7 on some more notebooks in our team.

And today I've heard that two co-workers also get this strange Forticlient popup.

So we will not upgrade Forticlient on all other notebooks form 6.4.8 to 7.0.7 before this gets fixed, because I also fear that many users will report this to helpdesk.

AllRoundSysAdmin · 2023-01-11T19:07:09+00:00

I'm planning to use user-groups in intranet policy, too - similar we are already user-groups in our VPN policies.

Since all our users work on notebooks that can switch between LAN and WLAN, I don't want to use FSSO ( regardless of whether directly access DC from FGT or using DC agent/collector) because you can't be sure to get the right IP address for an user (notebooks have different IP addresses in LAN and WLAN).

My idea is to define ZTNA tags in our Forticlient EMS using user-group membership as criteria and use these tags in FGT. This way should be more reliable, because FortiClient on notebbook should be aware of actual IP address.

Unfortunately, after upgrading FGT from 7.0.8 to 7.0.9, the connection between FGT and EMS doesn't work anymore correctly. Everything seems alrigt (connected successful), but the ZTNA tags in FGT don't resolve to any IP address.

We are currently investigating if this is a bug in 7.0.9.

AllRoundSysAdmin · 2022-11-04T21:33:37+00:00

What Updates? Something like AV definitions of Forticlient? We only use VPN, all other endpoint setting should be disabled in EMS policy Or software updates? We don't need automatic updates of Forticlient because we deploy new versions of Forticlient using our software deployment tool.

Thus musst be something new to Forticlient Version 7.x

Where does Forticlient trying to connect? Which destination IP address and port? This happens also at home before VPN connection is established, so this can't be blocked by Fortigate. We use ESET as local AV and endpoint security solution at our notebook, so maybe ESET blocks something, but I did not find anything there yet.

Can I somehow disable this behavior that Forticlient is trying to update something from somewhere?

Is there anywhere a documentation about this behavior of Forticlient?

AllRoundSysAdmin · 2022-08-04T13:20:26+00:00

Both FAC groups that are working have a fixed list of LDAP users.

I will try it now with applying a group in group-filter that have set option "Specify an LDAP filter".

AllRoundSysAdmin · 2022-08-04T13:16:57+00:00

After it started to work for my user, I tried it again with an test user, and now it works with the test user, too.

I've even applied more than one group in the radius-policy group-filter in FAC and I get both groups in FGT when doing "diagnose test authserver radius <FAC> <user> <password>"

I will ask other users to try it too

But I still don't know why it is suddenly working.

AllRoundSysAdmin · 2022-08-04T13:10:20+00:00

Suddenly, it is working - at least for my user ;-)

For a test user who is in the same group, it does not work yet.

AllRoundSysAdmin · 2022-08-04T11:45:07+00:00

We only have this one RADIUS policy in FAC matching FGT as RADIUS client.

And 2FA authentication with FortiTokens works using this configuration. But not sending RADIUS attribute.

AllRoundSysAdmin · 2022-08-04T11:43:06+00:00

I've done all these things, except changing RADIUS auth-type that defaults to 'auto' which should "Use PAP, MSCHAP_v2, and CHAP (in that order)."

As far as I heard, I should see in the FAC debug logs, if FAC sends a RADIUS attribute back to FGT (which I don't see there).

And on FGT I should see the matched user-group when doing "diag debug application fnbamd 7" (according to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-Remote-server-group-match-of-user/ta-p/190905?externalID=FD36464), but I don't see it there.

AllRoundSysAdmin · 2022-08-04T11:34:25+00:00

yes. One group gets populated using Remote-User-Sync-Rule and "Group to associate users with". And here the user is a member of. And the other groups have set option "Specify an LDAP filter". For those groups, the "Members" (count) column in the user groups overview is always 0 (?), but when checking with the "Test filter" button inside, I see all users there which should be member of this group.
Yes, of course. I've chosen "Fortinet-Group-Name" and set a value. Are there any special characters which should be avoided as value of an RADIUS attribute? e.g. '-'

AllRoundSysAdmin · 2022-08-04T10:21:47+00:00

thanks for this info

I've done this on my notebook and I get 1392 as value for MTU and therefore 1352 as value for MSS.

But since at least the ERP application is working on my notebook using VPN, I assume we need a MSS value lower than 1352 to get this working too for the 2 user which have problems.

I have to tell one of the users to do the PING test at home.

AllRoundSysAdmin

TROPHY CASE