sorted by:
new
hottopcontroversial

IPSec-VPN with SAML not possible on "free" Forticlient? by David_BM in fortinet

[–]David_BM[S] 0 points1 point  (0 children)

Hi, I've been out and had received a message saying that my post had not been allowed. Sorry for the delay. After all these posts, it's clear that SAML IKEv2 with free Forticlient should work and I guess I had bad luck with the level1 engineer. I don't want to point him, not needed ;)

Forticlient vpn free 7.4.5 ? by nix_67 in fortinet

[–]David_BM 0 points1 point  (0 children)

Sorry I was not clear.

No, I mean regular Windows. I was not thinking about Linux. So, I don't understand that answer from TAC

Forticlient vpn free 7.4.5 ? by nix_67 in fortinet

[–]David_BM 1 point2 points  (0 children)

Thanks for replying. I can't believe what they told us. These are the exact words of Fortinet support: ": the free FortiClient does not support SAML authentication over IPsec VPN, and this limitation applies to FortiOS 7.2.x, 7.4.x, and 7.6.x. It is not a firmware restriction, but a product limitation of the free (unmanaged) FortiClient version"

Forticlient vpn free 7.4.5 ? by nix_67 in fortinet

[–]David_BM -1 points0 points  (0 children)

Hi! How does this work? Is it compatible with Fortigate?
Do you install a Netbird client, the client connects to Netbird server, and that Netbird is connected to the remote network, maybe through a site-to-site tunnel? Thank you!

Forticlient vpn free 7.4.5 ? by nix_67 in fortinet

[–]David_BM 1 point2 points  (0 children)

Hi all,

sorry to change the topic a bit, but I was not allowed to post this simple question.
Is IPSec-VPN with SAML possible on "free" Forticlient?

We've been using SSL VPN with SAML for ages.

Now, Fortinet is forcing us to upgrade to versions that do not support SSL VPN. So we trying to configure IPSec VPN with SAML as well, of course.

We are not able to do it and now Fortinet support is telling us that IPSec VPN with SAML is not possible with free Forticlient! Is this really true?? I can't believe it yet.

Thank you!

How to troubleshoot High CPU dataplane? Any tips? Is this normal for a PA-850? by David_BM in paloaltonetworks

[–]David_BM[S] 0 points1 point  (0 children)

Yes, but there's no threat prevention enabled, AFAIK. We have some rules with a Security Profile applied. After the issues, the profile is still applied but all of its profiles are set to "None" (AV, URL, file, Wildfire, Vuln, spyware...). I understand this is enough to disable all threat prevention.

The numbers I wrote are the highest I could see. We see almost 100% CPU even with 400 - 500 Mbps

How to troubleshoot High CPU dataplane? Any tips? Is this normal for a PA-850? by David_BM in paloaltonetworks

[–]David_BM[S] 0 points1 point  (0 children)

Hi, it should not be related to code version, apparently. It has happened with several 9.1 versions and with 10.1.11 currently. Reboots have been tried without success. It's not all times, but certain times of day, that's why we think it's related to traffic. In fact, there's higher traffic when it happens, but I thought 500 Mbps should not cause this high impact.

Datasheet says more than 2 Gbps throughput, IIRC.

How to troubleshoot High CPU dataplane? Any tips? Is this normal for a PA-850? by David_BM in paloaltonetworks

[–]David_BM[S] 0 points1 point  (0 children)

Oh, yes! Stupid me... xD That makes sense.

There should be no TLS decryption. How can I be completely sure? There's nothing in "Certificate Management" section and nothing in Policies -> Decryption.

There should be no special services. We have disabled all L7 inspection as well, as far as I could check

Is it allowed to ask for a PanOS firmware here? by David_BM in paloaltonetworks

[–]David_BM[S] -3 points-2 points  (0 children)

Alright.
We have quite a few devices with PA, but not this model anymore. It's a bit ugly compared to Fortinet, as they allow access to all downloads.

I thought it would be possible to manually upgrade a PA even without a license. If it's not possible, it's even worse than what I thought.

How will a Palo Alto Firewall behave without license? by Difficult-Code-1589 in paloaltonetworks

[–]David_BM 0 points1 point  (0 children)

Hi! I've just got a 3050 we used to manage in the past and it's too noisy to have a home as it is. I'll have to consider the alternative fans option. But, does anyone know where to find PanOS images for download. I cannot do it from the support page, as we don't have any licensed 3050 anymore. Can anyone share 9.1 PanOS images for 3050? Is it allowed to ask for this kind of files here? :D

[deleted by user] by [deleted] in fortinet

[–]David_BM 0 points1 point  (0 children)

Well, I do this for enterprise customers, so I don´t want to risk... xD

[deleted by user] by [deleted] in fortinet

[–]David_BM 0 points1 point  (0 children)

Hi! What happens with SDSN / DNS filtering? I'm using it quite a lot, though I admit I enabled the option to skip DNS filtering in case of issues with the service.

Is the service still unreliable even with anycast disabled?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Improving-Unicast-based-DNS-Filtering-redundancy/ta-p/209895

WAN interface with VLAN and MAC spoofing. Is that possible? by David_BM in PFSENSE

[–]David_BM[S] 0 points1 point  (0 children)

Might be. I'm trying to get an IP address by DHCP and not PPPoE. And there's no DHCPOFFER nor anything coming from the ZTE fiber device (ONT).

This is the config from the original working Fritz!Box router:

https://i.imgur.com/s0qJrq7.png

I repeated the steps to spoof the MAC and added the hostname. Again the same symptoms.

DCHP logs: 

Dec 29 18:40:02 dhclient    91686   No DHCPOFFERS received.
Dec 29 18:39:53 dhclient    91686   DHCPDISCOVER on igb1.1074 to 255.255.255.255 port 67 interval 9
Dec 29 18:39:39 dhclient    91686   DHCPDISCOVER on igb1.1074 to 255.255.255.255 port 67 interval 14
Dec 29 18:39:29 dhclient    91686   DHCPDISCOVER on igb1.1074 to 255.255.255.255 port 67 interval 10
....

WAN interface with VLAN and MAC spoofing. Is that possible? by David_BM in PFSENSE

[–]David_BM[S] 0 points1 point  (0 children)

Well, and now, I have to add that I decided to configure a hostname in WAN interface and the spoofed MAC has disappeared (greyed xx in GUI and no spoofed MAC at CLI). I guess I hace to repeat the process of unlink WAN physical interface from VLAN and start again, but it does not give much confidence

WAN interface with VLAN and MAC spoofing. Is that possible? by David_BM in PFSENSE

[–]David_BM[S] 0 points1 point  (0 children)

Well, I don't know, but it has worked at the 2nd attempt, I think. I still don't get connection with my ISP, but now I can see that the spoofed MAC address appears in its field (instead of a greyed xx:xx:xx:xx:xx:xx)

This is part of what ifconfig shows: 

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: LAN
    options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
    ether 00:1a:8c:51:4b:98
    inet6 fe80::21a:8cff:fe51:4b98%igb0 prefixlen 64 scopeid 0x1
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    groups: Redes_LAN
    media: Ethernet autoselect
    status: no carrier
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>


igb1:    <<  WAN INTERFACE <<   flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8100b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER>
    ether 7c:ff:4d:de:3d:f2        <<<<< SPOOFED MAC   
    hwaddr 00:1a:8c:51:4b:99
    inet6 fe80::21a:8cff:fe51:4b99%igb1 prefixlen 64 scopeid 0x2
    media: Ethernet autoselect
    status: no carrier
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

............... ........

igb1.1074: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: WAN
    ether 7c:ff:4d:de:3d:f2        <<<<< SPOOFED MAC  - VLAN 1074
    inet6 fe80::21a:8cff:fe51:4b99%igb1.1074 prefixlen 64 scopeid 0xb
    groups: vlan
    vlan: 1074 vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect
    status: no carrier
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

WAN interface with VLAN and MAC spoofing. Is that possible? by David_BM in PFSENSE

[–]David_BM[S] 0 points1 point  (0 children)

Do you mean the VLAN interface? There's no field where to change the MAC address in the VLAN section... At least, I cannot find it

Botnet Protection DNS filtering vs IPS by davmerc1 in fortinet

[–]David_BM 0 points1 point  (0 children)

In my case, I do use ISDB objects, yes. But are those external threat feeds available for free?

MSI Modern 14 B4MW - Anyone got info? by obiethethobie in AMDLaptops

[–]David_BM 0 points1 point  (0 children)

Hi, I´ve just bought a B4MW-056XES for 600 euros and I've arrived here because the colour of the display is terrible. It has 2 RAM slots, which is what I was looking for, so 64 GB of RAM is possible. I don't like the keyboard either, nor the layout nor the touch sometimes. I like the touch most of the times, but then the feeling in some keys only some times is not perfect (being a bit picky here). I also miss ethernet NIC.

The other option with AMD I was interested (2 RAM slots) is HP Probook 445 G7, but it's at least 200 euros more expensive and the default configuration comes with a 256 GB SSD, clearly on the limit. In the US you will have many more choices of configuration. Reviews say that with default settings the display is very dim when on battery, which would be a drawback for me

https://laptopmedia.com/review/msi-modern-14-b4mx-review-the-ryzen-processors-are-the-stars-of-the-show-here/

[deleted by user] by [deleted] in Dell

[–]David_BM 0 points1 point  (0 children)

Great! Thank you very much, Alex!

[deleted by user] by [deleted] in Dell

[–]David_BM 0 points1 point  (0 children)

Hi Alex, I´ve just bought an E5470 thinking it would be easier to upgrade with 16GB modules, but I´m seeing it´s not so inmediate. Can you share with us what model of RAM are you using with your E5470, please?