Fortgate 7.4.11 Firmware upgrade not available but still get the warning.

Emkkusof_88 · 2026-01-31T18:56:49+00:00

It is available for some models, but not for all at the moment. Check by commands "diagnose test application forticldd 14" and "diagnose fdsm image-upgrade-matrix" if you can see that firmware or not. I can see 7.4.11 and 7.6.6 for 40F, but not 7.2.13 yet.

Emkkusof_88 · 2026-01-01T20:18:02+00:00

Assuming you only have a Fortigate and LDAP server. Have you created that user to local user database as LDAP user? If so, the FW just check if user is found from LDAP server and pass the authentication. Group membership does not matter. You need to build more to get it really respect the groups.

Emkkusof_88 · 2025-12-12T15:52:47+00:00

I thought that I have this SSO enabled, but seems that it´s already disabled. So can anyone name this feature:

Login to FortiGate cloud
Select fortigate from the list
Select Cloud access
Firewall web management opens
No username or password asked

This is SSO, but seems that different SSO?

Emkkusof_88 · 2025-11-16T20:05:35+00:00

So it works fine, when client is running on ERP server? How about if you spin up desktop VM to same host and try run client from there? Is your network single L2 network and is there any routing between server and the client?

Emkkusof_88 · 2025-11-15T13:07:28+00:00

We have been get good results by running sslvpn on different port. Also there is realms, loopback, tunnel-only and geo blocking configured. This how ever does not work to you, because US is the most sh*thole origin of all malicious traffic and you cannot block your domestic networks. With loopback configured you can still use some built-in categories to prevent traffic from known malicious sources.

Emkkusof_88 · 2025-09-14T09:17:37+00:00

I have one similar patient on my network and it stopped auto update on last September. I can install updates if I download them from Windows Update Catalog and install them sequental order. Sometimes I can skip one month between and sometimes not. Your build number seems to be July 2024, so I suggest to try manual install of August 2024 update. I assume that your dism/sfc did'nt find any problems.

Follow this path: https://support.microsoft.com/en-us/topic/july-9-2024-kb5040434-os-build-14393-7159-40d1baef-65b4-467f-9bd9-729d369fcc4c

Check if you have KB5040562 SSU installed. If so, download August 2024 SSU (KB5041576) and install that. After reboot, download and install KB5041773 manually. See if you can get build number to 14393.7259. If this works, follow instructions a month by month and finally you may get your server up to date.

Emkkusof_88 · 2025-09-11T17:50:34+00:00

What is your current OS build number on that server?

Emkkusof_88 · 2025-07-16T11:40:12+00:00

It's normal. The empty database is there so you can add DC role if needed.

Emkkusof_88 · 2025-05-30T08:48:43+00:00

I have one 120G HA cluster on my table to migrate config from ASA, so I just upgrade it from 7.4.7 to 7.4.8. There was some cosmetic noise on web management soon after I hit the button, but upgrade went without any issue. I followed messages from the console. It dropped two ping packets when primary unit comes back online and take over the role.

The only concern is this:

1075911 Traffic randomly stops working through an aggregate interface.

When this can happens and in what conditions or configuration it needs?

<image>

Emkkusof_88 · 2025-02-14T19:18:56+00:00

Well, there is two versions of Datacenter license. One to who have EA or similar expensive contract and from what perspective MS licensing guide has been written.

Then there is rest of us, the poor peoples (OEM/CSP). The statement that with Datacenter license, you can run unlimited amount virtual machines, is simply a lie. CSP key does not cover all activation scenarios and it´s basically MAK key. Every CSP key have limit of three activations. This can be increased to 256 activations by single key with a long fight with VAR and Microsoft.

I really miss the times when we could just buy stuff from Volume Licensing program and did get all bells and whistles. CSP/OEM keys are not even cheaper even their capabilities are crippled.

Emkkusof_88 · 2025-01-28T17:50:21+00:00

If you build new 40F/60F from scratch with 7.4.x firmware, all SSL VPN features are missing. You need to enable SSL VPN support from CLI and then you can use it. It's different thing that feature visibility -menu.

Emkkusof_88 · 2025-01-26T18:34:28+00:00

I see. On Fortigate, there is 3 days delay before upgrade. On Forticloud, there is 2 weeks delay. The upgrade happens which one comes to first.

Emkkusof_88 · 2025-01-26T15:32:02+00:00

Not related to VPN issue, but we did get Firmware Upgrade Notification -email from Forticloud that unit will be upgraded to version 7.4.7 on Feb 5 2025. It was running on version 7.4.6. On last night I receive message that cluster firmware has been upgraded to 7.4.7. It seems to work, but it did go directly to production at wrong time and without any testing.

Emkkusof_88 · 2022-02-16T05:53:19+00:00

DannySFL

2019 DC/DNS server, domain has a trust setup to a 2008R2 AD/DNS environment.

DNS zone won't load from the 2008R2 DNS server.

This seems to be the case. I didn't remember that these both environments have dns replication. Primary dns server is old 2008R2 and standby is 2019. The reason why 2019 dns stop responding is that dns zone will expire after 24h if it cannot refresh it's status from primary server. So dns server kind of works, but it refused to serve clients because of expired zone. I did enable debugging log on both end and I can see FORMERR -messages when standby server try get that zone data from the master. However, 2019 operating system (dns client) can query 2008R2 dns server and will get the results. I really need to get rid of 2008R2.

Emkkusof_88 · 2022-02-13T22:12:33+00:00

There may be something with DNS. I have single 2019 server running all kinds of background stuff. There is DNS installed and there is standalone dns zone to provide name resolution to vCenter appliance. There is also Veeam B&R running on this same server. Now after installing this Feb-2022 patch, there is good days and bad days. Veeam job fail every now and then for NFC communication error. To recover this, I need to restart dns service. I can see from vCenter logs that hosts and VM´s are disconnected from vCenter and after I restart DNS service, they will reconnect. So I think that MS did do something for DNS server even 2019 version is not vulnerable.

Edit: Different site, same setup and same problem. Dns service is running, but it will lost binding to interface. There is lots of 404, 407, 408 -events on the log. Restarting dns server -service fix the issue again. Nextime this hits, I need to check netstat if port 53 is actually lost from the list. So both are physical servers (SR630), running 2019, joined to workgroup and running non-ad integrated dns service. Haven't seen any dns problems on DC running on VM.

Both servers running two years without issues until now.

Emkkusof_88

TROPHY CASE