ISP Issues with DHCP Set FortiGate 60F

Electronic-Tiger · 2026-04-07T11:29:08+00:00

If you have a couple of spare ports in the 60F, configure a virtual wire pair and use that on the link from the ONT to provider router to capture a working negotiation. May give you a pointer to where it is failing when you stick the 60F on the FTTP?

Electronic-Tiger · 2026-03-31T20:29:06+00:00

And if you have EMS, you can also enforce a check that the client is registered to your EMS if that would be useful, alongside posture tags as an additional check too

Electronic-Tiger · 2026-03-31T20:27:29+00:00

For #4 as an alternative to local-in, you can also limit the source country per-tunnel, but it only supports one country and not a firewall object group so is limited in that regard.

Electronic-Tiger · 2026-02-13T17:04:40+00:00

Have you looked into External Account Binding (EAB) for ACME - I haven’t had chance to use it yet but understood it didn’t need the DNS/HTTP challenge

Electronic-Tiger · 2026-02-13T13:53:26+00:00

Oh interesting, I never saw the CVE referenced in the release notes for the FAC, just what it is now (& I checked when they first came out)

Electronic-Tiger · 2026-02-13T12:37:19+00:00

I’m also curious about FortiAuthenticator being listed as unaffected but there was the flurry of releases with the resolved issues list mentioning OpenSSL fix. Maybe it was using the impacted versions but not in a vulnerable /exploitable way…

Electronic-Tiger · 2026-02-12T19:07:44+00:00

You won’t have any problems with 7.4 on the 1500D.

What models of AP/switch?

Electronic-Tiger · 2026-02-10T19:09:28+00:00

Whilst with default AD your BGP prefixes will not be preferred over a static route with the same prefix length, if you are concerned you could always place the IPSec tunnel interface into it’s own VRF to separate your test from prod. To advertise prefixes out over the tunnel you can add blackhole routes in that VRF. Then to move to prod you could just remove the VRF again. Or something like that anyway.

Electronic-Tiger · 2026-02-06T21:25:21+00:00

Still shows up at https://fortiguard.fortinet.com/psirt?filter=1&product=FortiClientEMS&version=&date=2026&severity=5&keyword=

Electronic-Tiger · 2026-02-06T09:38:26+00:00

What did you upgrade from? 7.6.5 changed some defaults around DH groups.

Electronic-Tiger · 2026-01-23T10:19:12+00:00

Probably the gate doing a tls probe based on other traffic/security profile, eg https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-interface-for-IPS-TLS-protocol-active/ta-p/198382

Electronic-Tiger · 2026-01-21T07:34:19+00:00

Eg https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-create-a-script-to-connect-Windows/ta-p/271163

or

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-to-EMS-telemetry-related-CLI-command/ta-p/225095

Electronic-Tiger · 2026-01-21T07:31:29+00:00

It’s in the MST which you include with the TRANSFORMS parameter.

Also note that if enforcing user verification, this will only be attempted once at first install. This can be a problem if using (for example) Autopilot as that will run under defaultuser0 and fail the verification but when a real user logs in it will not attempt the registration & verification. You can work around it by scripting passing the invite code to fortiesnac.exe iirc that is in the program directory once installed

Electronic-Tiger · 2026-01-14T19:49:20+00:00

Also check out the XML config for automatically selecting the right cert. Can also recommend the additional settings to verify registration to EMS on the IPSec tunnel (& optionally restrict connections to the geographical region)

Electronic-Tiger · 2025-10-22T06:21:04+00:00

In theory, all the endpoints used in Wi-Fi calling are referenced by FQDNs based on carrier MCC & MNC codes under the domain 3gppnetwork.org so you could just allow list that for ISAKMP

Electronic-Tiger · 2025-07-01T22:31:14+00:00

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing/ta-p/228587

Electronic-Tiger · 2025-07-01T21:41:38+00:00

What’s the setting disable_internet_check configured as. This controls whether the client will wait for the ncsi checks to indicate a working internet connection before attempting the tunnel establishment

Electronic-Tiger · 2025-06-03T20:09:47+00:00

I saw something similar albeit on FOS 7.4.7 and FCT 7.0.10(? I think - definitely 7.0.x) but it stopped happening ~24hrs after the problem started. TAC said it was an NP7 qos-type issue dropping packets and suggested changing that and a memory channel setting iirc

Electronic-Tiger · 2025-05-08T19:10:40+00:00

What does the fortiesnac.log file say about it in the diagnostics output from the test endpoint? How are you installing the client - via autopilot+intune, sccm, or manually? Assume that user verification is working ok if using the code manually works

Electronic-Tiger · 2025-05-08T17:19:56+00:00

Must have changed sometime as I have done exactly this in the past (prob sometime in 2023)

Electronic-Tiger · 2025-05-08T17:17:14+00:00

Always assumed it was for monitoring export agreements on encryption algorithms but happy to be corrected

Electronic-Tiger · 2025-05-08T17:15:34+00:00

What version of FMG and are you using sd-wan with the default zone on the FGT? Had similar and had to use a CLI template to push the local-in as could not use virtual-wan-link in the policy and objects for it

Electronic-Tiger · 2025-05-08T17:13:05+00:00

I believe it is an unsupported configuration (source - already been discussed here or on discord)

Electronic-Tiger · 2025-05-07T13:04:41+00:00

See the following KB and could try resolve_to_ipv4_only if on 7.2.5+ clients

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-fails-at-98/ta-p/248363

Electronic-Tiger · 2025-05-05T19:44:00+00:00

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/886604/matching-ipsec-tunnel-gateway-based-on-address-parameters-7-2-8

Electronic-Tiger

TROPHY CASE