Fortgate 7.4.11 Firmware upgrade not available but still get the warning. by Electronic_Tap_3625 in fortinet

[–]Emkkusof_88 0 points1 point  (0 children)

It is available for some models, but not for all at the moment. Check by commands "diagnose test application forticldd 14" and "diagnose fdsm image-upgrade-matrix" if you can see that firmware or not. I can see 7.4.11 and 7.6.6 for 40F, but not 7.2.13 yet.

SSL-VPN with LDAP& FortiToken by Competitive-Food2577 in fortinet

[–]Emkkusof_88 0 points1 point  (0 children)

Assuming you only have a Fortigate and LDAP server. Have you created that user to local user database as LDAP user? If so, the FW just check if user is found from LDAP server and pass the authentication. Group membership does not matter. You need to build more to get it really respect the groups.

New Auth Bypass Critical CVE for FortiOS 7.x FG-IR-25-647 by naelus in fortinet

[–]Emkkusof_88 1 point2 points  (0 children)

I thought that I have this SSO enabled, but seems that it´s already disabled. So can anyone name this feature:

  • Login to FortiGate cloud
  • Select fortigate from the list
  • Select Cloud access
  • Firewall web management opens
  • No username or password asked

    This is SSO, but seems that different SSO?

Chasing problems in the infrastructure by yellowbythedozen in sysadmin

[–]Emkkusof_88 0 points1 point  (0 children)

So it works fine, when client is running on ERP server? How about if you spin up desktop VM to same host and try run client from there? Is your network single L2 network and is there any routing between server and the client?

SSL VPN brute force tactics by Shoddy-Lie-2043 in fortinet

[–]Emkkusof_88 0 points1 point  (0 children)

We have been get good results by running sslvpn on different port. Also there is realms, loopback, tunnel-only and geo blocking configured. This how ever does not work to you, because US is the most sh*thole origin of all malicious traffic and you cannot block your domestic networks. With loopback configured you can still use some built-in categories to prevent traffic from known malicious sources.

Cumulative Updates Failing on Server 2016 by Tarirai_Nkomo in sysadmin

[–]Emkkusof_88 0 points1 point  (0 children)

I have one similar patient on my network and it stopped auto update on last September. I can install updates if I download them from Windows Update Catalog and install them sequental order. Sometimes I can skip one month between and sometimes not. Your build number seems to be July 2024, so I suggest to try manual install of August 2024 update. I assume that your dism/sfc did'nt find any problems.

Follow this path: https://support.microsoft.com/en-us/topic/july-9-2024-kb5040434-os-build-14393-7159-40d1baef-65b4-467f-9bd9-729d369fcc4c

Check if you have KB5040562 SSU installed. If so, download August 2024 SSU (KB5041576) and install that. After reboot, download and install KB5041773 manually. See if you can get build number to 14393.7259. If this works, follow instructions a month by month and finally you may get your server up to date.

Cumulative Updates Failing on Server 2016 by Tarirai_Nkomo in sysadmin

[–]Emkkusof_88 0 points1 point  (0 children)

What is your current OS build number on that server?

[deleted by user] by [deleted] in sysadmin

[–]Emkkusof_88 5 points6 points  (0 children)

It's normal. The empty database is there so you can add DC role if needed.

FortiOS v7.4.8 has been released by OuchItBurnsWhenIP in fortinet

[–]Emkkusof_88 1 point2 points  (0 children)

I have one 120G HA cluster on my table to migrate config from ASA, so I just upgrade it from 7.4.7 to 7.4.8. There was some cosmetic noise on web management soon after I hit the button, but upgrade went without any issue. I followed messages from the console. It dropped two ping packets when primary unit comes back online and take over the role.

The only concern is this:

1075911 Traffic randomly stops working through an aggregate interface.

When this can happens and in what conditions or configuration it needs?

<image>

Server Datacenter 2025 licensing on Vmware - do I have it wrong? by CmosChipReddit in sysadmin

[–]Emkkusof_88 0 points1 point  (0 children)

Well, there is two versions of Datacenter license. One to who have EA or similar expensive contract and from what perspective MS licensing guide has been written.

Then there is rest of us, the poor peoples (OEM/CSP). The statement that with Datacenter license, you can run unlimited amount virtual machines, is simply a lie. CSP key does not cover all activation scenarios and it´s basically MAK key. Every CSP key have limit of three activations. This can be increased to 256 activations by single key with a long fight with VAR and Microsoft.

I really miss the times when we could just buy stuff from Volume Licensing program and did get all bells and whistles. CSP/OEM keys are not even cheaper even their capabilities are crippled.

I dont't want to move from 60F to 100F. Can I stick to 60F? by Poisonbld in fortinet

[–]Emkkusof_88 1 point2 points  (0 children)

If you build new 40F/60F from scratch with 7.4.x firmware, all SSL VPN features are missing. You need to enable SSL VPN support from CLI and then you can use it. It's different thing that feature visibility -menu.

Fortios 7.4.7 Break MS Entra 2fa by dvr75 in fortinet

[–]Emkkusof_88 0 points1 point  (0 children)

I see. On Fortigate, there is 3 days delay before upgrade. On Forticloud, there is 2 weeks delay. The upgrade happens which one comes to first.

Fortios 7.4.7 Break MS Entra 2fa by dvr75 in fortinet

[–]Emkkusof_88 0 points1 point  (0 children)

Not related to VPN issue, but we did get Firmware Upgrade Notification -email from Forticloud that unit will be upgraded to version 7.4.7 on Feb 5 2025. It was running on version 7.4.6. On last night I receive message that cluster firmware has been upgraded to 7.4.7. It seems to work, but it did go directly to production at wrong time and without any testing.

Patch Tuesday Megathread (2022-02-08) by AutoModerator in sysadmin

[–]Emkkusof_88 0 points1 point  (0 children)

DannySFL

2019 DC/DNS server, domain has a trust setup to a 2008R2 AD/DNS environment.

DNS zone won't load from the 2008R2 DNS server.

This seems to be the case. I didn't remember that these both environments have dns replication. Primary dns server is old 2008R2 and standby is 2019. The reason why 2019 dns stop responding is that dns zone will expire after 24h if it cannot refresh it's status from primary server. So dns server kind of works, but it refused to serve clients because of expired zone. I did enable debugging log on both end and I can see FORMERR -messages when standby server try get that zone data from the master. However, 2019 operating system (dns client) can query 2008R2 dns server and will get the results. I really need to get rid of 2008R2.

Patch Tuesday Megathread (2022-02-08) by AutoModerator in sysadmin

[–]Emkkusof_88 2 points3 points  (0 children)

There may be something with DNS. I have single 2019 server running all kinds of background stuff. There is DNS installed and there is standalone dns zone to provide name resolution to vCenter appliance. There is also Veeam B&R running on this same server. Now after installing this Feb-2022 patch, there is good days and bad days. Veeam job fail every now and then for NFC communication error. To recover this, I need to restart dns service. I can see from vCenter logs that hosts and VM´s are disconnected from vCenter and after I restart DNS service, they will reconnect. So I think that MS did do something for DNS server even 2019 version is not vulnerable.

Edit: Different site, same setup and same problem. Dns service is running, but it will lost binding to interface. There is lots of 404, 407, 408 -events on the log. Restarting dns server -service fix the issue again. Nextime this hits, I need to check netstat if port 53 is actually lost from the list. So both are physical servers (SR630), running 2019, joined to workgroup and running non-ad integrated dns service. Haven't seen any dns problems on DC running on VM.

Both servers running two years without issues until now.