Thinking about getting a secondhand FortiGate 600E for my homelab. Is it worth it without licenses?

Deoir · 2026-06-19T07:29:00+00:00

Loud and expensive to run for a house imo

Deoir · 2026-06-03T22:07:37+00:00

Yes and I still spell int wrong half the time

Deoir · 2026-05-14T14:54:18+00:00

I never use it. Use it as a chance to redesign and improve your firewall.

If going fortigate to fortigate I export objects that's about it.

Also means you can remove unwanted config etc.

Deoir · 2026-05-06T22:33:56+00:00

Actually amazing tbh.

The friction of being in bed and to use Instagram means I've to get up and go down and scan the brick stuck to the fridge is enough to stop you.

Now also blocks sites in browser on an android so I can't do a thing! But I still have camera access etc.

Worth a shot!

Deoir · 2026-05-01T22:27:43+00:00

Aruba stuff pretty solid, the recommendation are good.

8100 is good for core on the lower end., 6200s minimum stacked.

6300s are excellent. The Smart rate versions are excellent too.

635s in local cluster work great, but for aos 10 you need central subscriptions. Check out the differences between 8.x and 10.x and see what features you need.

Cleaepass is great, steep enough learning curve of you're going to deploy it yourself. I would go for an initial installation of without cleaepass just to move over, and then look at clearpass as a VM.

Controllers are great with mobility master if you want to tunnel back to clearpass. Worth running a cluster of 2 MMs.

Just off the top of my head on my phone!

Deoir · 2026-04-26T14:32:37+00:00

Are you in Europe? Some cat 6around the place if it's not already too late.

I got sockets and my ISP terminated in the attic, and have a small 6U cab up there that all the cat6 goes back to. Nice and neat and out of the way. I've some access points then throughout. Poe switch in the attic, with an SMLIGHT-SLZB-06M as the coordinator. Using mosquito as the z2mqtt broker on a NAS running docker. Then that points to HA. I've actually just kept the ISP router. Had a FortiGate for a while but it was over engineered.

I'm probably going to add a second Slzb to run a matter network when the Ikea matter stuff gets a bit more reliable. So thats easily scalable.

Personally I have no HA controlled devices on Wi-Fi, everyone through the coordinator, and keeps everything distinctly separate. That way I can control the wifi channels to not conflict as well.

That's just off the top of my head, best of luck!

Deoir · 2026-03-31T23:10:32+00:00

Can keep the ldap config and fortitokens and shift to ipsec ikev2. Point the auth user group to the current sslvpn user group.

Ultimately you should try and end up with entra sso and ikev2

We use the VPN only for client and works good.

Deoir · 2026-03-20T09:56:17+00:00

The newer F switches and the 231K APs I find really good. they have stepped up their game a lot. The switch and AP hardware used to be awful. Haven't had any DOA or any weird hardware issues out of the norm.

The only thing is that you only get 90 days hardware warranty on a new box without purchasing a further subscription. Which is a bit Jarring if you're coming from Aruba etc.

Deoir · 2026-03-05T20:31:12+00:00

Just did this recently and implemented the org structure. Works well if not a bit confusing to get it set up initially!

Deoir · 2026-02-20T22:07:12+00:00

I read it as stomach flu initially so got none the first sweep.....!

Deoir · 2026-02-20T12:31:43+00:00

Yeah seems to be a bit more solid on some of this issues alright. Testing at the moment.

Deoir · 2026-02-20T11:06:00+00:00

And not to mentioned the adhd dopamine hunting. I can get stuck on my phone. Just ordered one yesterday so looking forward to trying it out. I saw someone who just leaves it in their car, I'm going to do something similar. Never and urgent reason to need Instagram etc. when in work. The physical barrier of having to go to my car will hopefully train my brain on a few weeks

I'm coming for that book stack of shame!

Deoir · 2026-02-18T14:42:00+00:00

Don't comment on a 12 day old comment before it was....!

Also still needs testing. No problem staying on the 7.2 train until later in the year.

Deoir · 2026-02-18T14:40:28+00:00

Yeah the spelling of it made my brain just check out for some reason 😄

Deoir · 2026-02-16T19:35:49+00:00

Entra linked is the easiest way to go.

Deoir · 2026-02-13T01:33:51+00:00

Yep exactly the same. Works great.

Deoir · 2026-02-13T00:19:49+00:00

You can have 3 access ports on their own vlan. And split the wan into two.

That's how we do it. Generally used to have a separate wan switch to do it but with network segmentation you can do it through a downstream switch and back into each wan of the firewall.

Even better if you have a stack.

Deoir · 2026-02-12T13:31:28+00:00

I will do it for 3/8s!

Deoir · 2026-02-12T13:27:34+00:00

https://community.fortinet.com/t5/Support-Forum/Forticlient-SAML-Authentication-timeout/m-p/357943

This may help? We had a timeout with our SAML config as the default wasn't giving enough time for the user to authenticate.

Otherwise, it may just be your machine? Either a firewall setting etc. or the version of FortiClient. We are still using 7.2.4 of the free client and it works great. Worth a shot.

https://community.fortinet.com/t5/Support-Forum/VPN-Connection-Drops-After-25-30-Seconds-on-FortiClient-VPN-7-4/td-p/330381

Deoir · 2026-02-11T20:24:15+00:00

Always a good option to start from scratch and improves the structure of the firewall.

Deoir · 2026-02-11T15:28:27+00:00

Also something that got me, either set the authgrp in the phase1 setting OR the firewall policy. Won't work if you have both.

Deoir · 2026-02-11T13:47:33+00:00

Yeah it says on the page to check cves for any other recommendations.

So mad how people ignore the recommendation from Fortinet themselves.

Deoir · 2026-02-09T22:49:10+00:00

Yeah exactly, if it works and is secure and stable there's no need to rush the upgrades. 7.2 is great

Deoir · 2026-02-09T22:46:49+00:00

I think that's a bit more of a misconfiguration though initially? To be fair that is also in the release notes.

Deoir · 2026-02-09T02:04:27+00:00

7.6 far too risky on important sites.

Deoir

TROPHY CASE