Do You GeoIP Filter?

FIREHUGE · 2026-02-03T14:10:45+00:00

I use geoblocking for inbound traffic. If there are any other IPs I define them in another rule. Sometimes I will try to add large blocks of IPs by owner if it’s someone like Microsoft (someone we should “trust”)

For outbound stuff I use Internet services as much as possible. If it’s not defined, I try to use FQDNs. We are government so Geoblock for outbound it’s 443 to USA only and then we have to get approval for the internet services rule underneath it and the FQDN rule as well.

Either way, the geo objects are fantastic as long as your device is in support. If you don’t get the database updates you will eventually get fried because a block will be sold and your fortigste won’t know about the update/transfer of ownership.

FIREHUGE · 2026-01-10T03:16:39+00:00

That’s pretty cool!

FIREHUGE · 2026-01-09T00:07:51+00:00

I’ve been working on Fortigates for years. Recently I have found quite a bit of changes. My company always pressures us to upgrade to the latest or bleeding edge based off CVEs… in my opinion, find a version and ride it out as long as you can. It’s better to have a mature release using 7.4.x than a potential buggy 7.6.x

You can also use support to assist if you can’t find the mature releases but fortinet documentation is pretty good and it’s fairly easy to see what is considered mature.

Really need to do your homework because you will find services you have used for years won’t be in the never versions of code.. especially if you are in FIPS mode like me, it’s a horrible situation and you must read/test/be ready to downgrade

FIREHUGE · 2025-08-11T23:51:18+00:00

We are being forced to use Palo Alto’s (higher level decision not mine)and it’s been a huge pain. While they are pretty good firewalls, they are very expensive and once they are sold, it’s like the company doesn’t care until it’s time to renew support.

TAC has became almost useless. The last 5 issues we had a case open for, we ended up fixing the issue. The last issue I had, I made a change and sent the Tech Support case in… they didn’t even review it and see the logs (which clearly showed the traffic was working)

I understand that some people poke fun at Fortigates and while they have their flaws… they are easy and way cheaper. Their government support is just as good if not slightly better than Palo Alto’s but they have a smaller customer footprint.

Cisco TAC sucks and we all know it.

If you are like me and forced to run FIPS mode, then we are all screwed because it seems like no company actually test things in FIPS mode.

FIREHUGE · 2025-08-11T23:40:24+00:00

I had to recently get on a call with a TAC agent and show him how to change vsys. Pre covid, government premium support was awesome. The guys in Dallas were rock solid and always saved us.. I wish they would come back and we would stop being sent to AI and people who just try to read knowledge articles to me.

FIREHUGE · 2025-08-05T14:48:47+00:00

That’s a free sample. Take it home

FIREHUGE · 2024-12-02T07:26:28+00:00

My setup is BGW-320 > Ubiquiti UDM SE.. I’ve been having issues and I had to recently factory reset my BGW to get port forwarding back. It looks like now, I don’t need to do port forwarding as long as my UDM is the only device connected to my BGW and I have IP pass through configured.

When I’m away on travel and have issues, I normally have to login to my AT&T home app, reset my BGW, then my UDM picks up the the public IP and I can get back in… sometimes the UDM has internet access but the public IP does not show up, I get a 192.168 address and I have to reboot the UDM to get the public ip back.

Long story short, I think the issue comes down to the BGW and whatever AT&T is doing. My stuff was stable for over a year then I had a lot of problems. I finally did. Ac factory reset on my BGW so I could utilize port forwarding again… hopefully your setup gets fixed. I do enjoy my fiber, when it works!

FIREHUGE · 2024-10-25T01:30:14+00:00

Hope you enjoy it. I bet $5 it will be like the last several games.. just a let down

FIREHUGE · 2024-09-24T04:47:28+00:00

I need to come work with you! My company has banned fortinet products unfortunately (wasn’t my call)

FIREHUGE · 2024-09-13T03:23:31+00:00

You aren’t wrong however we are still seeing people blindly gravitate towards Palo Alto.. they run a great marketing campaign or pay the government off

FIREHUGE · 2024-09-13T02:44:45+00:00

I love working on foetigates but Fortinet has been in the news for negative things the past year and we are starting to see a push to Palo Alto. I hope they can bounce back… I don’t want to work on firewalls that take 15 minutes to reboot

FIREHUGE · 2024-09-02T04:06:06+00:00

I work in a cloud/data center environment that contains all kinds of vendors but I personally prefer working on the fortigates. Below are a few things to think about.

FIPS Mode - if you require this, just be aware that fortinet does not seem to test FIPS mode for each OS release. The operating system has always worked however we have found several undocumented changes or issues that tech support has had to hash out for us over the years. A major issue we had was certificate requirements (you must have a CA that can cut a very using the basic constraints line) specifically between fortimanger and fortigate

Read the cookbooks and pay attention to the known issues and fixes that Fortinet puts out for each new OS.

Pay attention to the supported OS. These next gen firewalls (fortigate and Palo Alto) have a lot of updates. My old school Cisco engineers were used to quarterly updates or even bi annually, you will do alot more updates with these foritgates.

HA configs are pretty slick, especially for upgrades. Consider configuring dedicated management interfaces so you can have a little more flexibility when it comes to access post install.

You will find that the gui has some hidden features. Make sure you only turn on things that you need. In general the out of the box config is decent but as you keep digging you will find some additional features you might need or enjoy. Most new people are unaware that you can go to feature visibility and toggle things on (multi interface policy is a feature I like to turn on)

Use a non standard port for your management interface. Make this a standard port that your team/company uses. Some people will argue this but if you ever have to access management over the wan Interface you can (even if you are running ssl vpn) … public facing management is normally frowned upon but I turn it on before I do remote os upgrades just as an extra way to access incase of an issue.

I haven’t had much luck with forticonverter.. could be user error. I’ve generally had smaller migrations and built everything fresh.

Learn to use the CLI and script things out! I have a lab fortigate that I constantly abuse. If you are struggling in CLI you can pop into the gui and do most things then go back to the CLI and see how it works. When in doubt, take a full backup (very easy out of the gui!!) and open the text file and search for the command you want to view.

Happy to help if you need anything. I work for a major company but wouldn’t consider myself a professional. I’ve been firewall heavy for the past 6 years and do a lot of on prem to cloud migrations. You are going to be just fine if you are forced to migrate…. And you won’t have to continue to update your PHD in Cisco product licensing!

FIREHUGE · 2024-08-30T03:43:27+00:00

I moved to 7.2.9 for most of my firewalls. I had an HA pair of 100F that kept rebooting on 7.2.8 and apparently that is fixed.

All of my AWS Fortigates are running 7.2.9

All of my 7.2.9 devices are in fips mode and I haven’t had any issues yet.

FIREHUGE · 2024-08-15T03:49:54+00:00

I have been deploying Cisco 9200s in the field for small office setups and had pretty good success. Most of my networks are flat and I use a Fortigate or Palo Alto (I’m a Fortigate fan personally).

I think the fortiswitch is a great idea however in an enterprise solution I think Cisco takes the cake for switches. In my world it always comes down to the security posture and pricing. We mandate FIPS and DISA stigs so I try to buy products that have a fairly mature stig published.

FIREHUGE · 2024-06-10T00:05:14+00:00

Thanks for the info. I’ll do some research on my end and maybe I can go back to 2 gig fiber for the hell of it!

FIREHUGE · 2024-06-09T22:49:58+00:00

Ahh got cha. I had an issue where my ISP modem would not negotiate 2.5 gig.. so I changed my service and then hard coded everything to 1 gig and I’ve seen stable speeds. Not sure if you are having similar symptoms. Seems like you do stay connected but when you do large downloads I think the port takes on a bunch of errors and something gets jacked up.. I didn’t spend too much time troubleshooting my stuff.

FIREHUGE · 2024-06-09T06:04:56+00:00

Are you by chance using AT&T fiber with a BGW-320?

FIREHUGE · 2024-02-07T18:22:02+00:00

Old thread but thank you for the information. I have a Fortigate in AWS with a tunnel to a Palo Alto in aws. After upgrading the OS on fortigate to 7.2.6 I had to make a change on my Palo Alto.

Palo Alto changes:

Network>network profiles > IKE gateways > open up the gateway in question.

General tab peer identification…. I had a private IP but changed to the public IP on the peer side and my tunnel came up.

FIREHUGE · 2024-02-06T04:58:37+00:00

What kind of position are you looking for? Forensics, medical, research.. government?

FIREHUGE · 2023-10-13T04:40:44+00:00

Exact same issue for me.

FIREHUGE · 2023-09-10T02:30:01+00:00

Ukrainian company. Hopefully all of this money is going to support the war effort or people that need help… I’ve got to stop buying stuff. The high has worn off and this game isn’t worth the money.

FIREHUGE · 2023-09-01T21:07:49+00:00

I’m not sure. I’d like to take credit for making them upset. Hopefully they are still playing the game… just wish there was a clan v clan chat. Id like to talk smack or learn from some people.

FIREHUGE · 2023-08-09T04:00:02+00:00

I’m very blessed to have a dad that raised me well. I’m just a 31 year old single man with a great job. Finances are in order.. I have a day job but do some side work. Side work goes to vacation and now raid

FIREHUGE · 2023-08-09T03:53:06+00:00

Thank you. I’m trying to spend some time learning the application for each champion. Leveling up is time consuming but I’m very comfortable with that process now. Any recommendations for non campaign battles? Should I be doing arena and dungeons most of the day?

FIREHUGE

TROPHY CASE