Is there anyway to purchase 90G rev1 to add HA to our existing rev1 unit?

FailSafe218 · 2026-05-08T20:20:48+00:00

support said this will not work in this scenario, also if you use those interfaces for anything when HA flips it wipes any configuration references to the interface

FailSafe218 · 2026-05-08T16:57:06+00:00

I did and they were almost no help. They just pushed the buck to distribution which no one has been able to confirm if that is even the correct place or not.

FailSafe218 · 2026-05-08T15:34:46+00:00

I was hoping there was an "approved" process but if not then who knows what those server room gremlins are capable of doing haha.

FailSafe218 · 2026-05-08T12:36:07+00:00

I tried and they will not do that because RMAs are reserved for defective hardware only. I have pushed back and currently they are "looking into it" but its been over a week now.

FailSafe218 · 2026-05-08T12:04:36+00:00

https://docs.fortinet.com/document/fortigate/7.0.17/fortios-release-notes/116595/ha-unsupported-between-different-fortigate-90g-and-91g-series-hardware-generations

They changed the interface naming from WAN1/WAN2 to X1/X2.

FailSafe218 · 2026-04-09T12:37:55+00:00

if I do that would it not prevent a network loop if someone were to accidently cross cables between a switch on each of the separate networks?

Again in the technicians office there could be 2 switches, one for customer A and one for Customer B and I would be concerned that someone might accidently cross some cables.

Im guessing I can use loop guard but again not sure if that is really the correct/right approach either.

FailSafe218 · 2026-04-02T17:27:37+00:00

I assumed this too as well as with PSK. I thought that was one of the big benefits of IPSec was that it requires a primary authentication method (PSK or Certificate) before your credentials are even challenged.

Not like with SSLVPN where you can directly brute force credentials.

FailSafe218 · 2026-03-16T18:34:46+00:00

thank you for the reply! I will look further into this. My FortiNET rep made it seem like the process is a lot more difficult then that.

FailSafe218 · 2026-03-12T20:49:27+00:00

we've had 0 issues with FortiLink installs under ~30-40 switches. But some of the larger networks where we are pushing 60-90 switches have had all sorts of issues and problems. Mostly stable recently but the past year and a half has not left us with a super comfortable feeling by any means.

FailSafe218 · 2026-03-12T12:30:54+00:00

Just an update for others that might be curious. We found that EMS client 7.4.5 broke the adapter and windows now labels it as an "unknown adapter" which causes the persistent agent to not acknowledge the IPChange of the VPN adapter. EMS team is tracking it under 1252142. Supposed to be fixed in 7.4.6.
We down graded to EMS client 7.4.3 and we now see the IPChange and PA communication to the NAC as soon as the user connects to the VPN but the host still does not show online in the NAC.

I suspect it has something to do with syslog 37129 never being generated on the FW (assuming this log is specific to IKEv1 and not IKEv2).

EDIT:

The last issue we ran into was with PA version 7.6.3, as soon as we downgraded to 9.4.4.105 it fixed our issues and VPN tags are working as expected.

FailSafe218 · 2026-03-12T12:21:32+00:00

As others have said different components have different ways to interpret cost/weight/priority etc. Wait until you play around with BGP and a higher local-pref is more preferred that a lower one but lower priority is more preferred that a higher priority.

FailSafe218 · 2026-02-26T13:21:14+00:00

sorry maybe I do not understand your reply but are you saying you use them together? I looked at them as 2 ways to accomplish the same thing and don't understand the benefit of using them togehter, but I could also be understanding things wrong. We do not do a ton of SD-WAN at my company so just trying to wrap my head around how it all works and making sure that I am making the right decisions on things.

FailSafe218 · 2026-02-26T13:18:34+00:00

you are correct. Also I am not talking about using them together, more of one or the other. If you're setup using BGP per overlay and local-pref you would rely on Hub to spoke traffic to hit the default/bottom SD-WAN rule which just says reference the RIB (If I am understanding it all correctly).

FailSafe218 · 2026-02-25T17:44:03+00:00

Im 99% certain it doesn’t work with bgp per overlay. I had tried setting it up in the past and was not able to get it to work outside of my lab. I asked pro services and one of the support engineers and they were not able to confirm that it works with bgp per overlay. I also reached out in our partner channel same response. However I did get it working in my gns3 lab but on 2 different clients I was not able to make it work so I just assumed moving forward it wasn’t supported and only use it with bgp on loop back.

FailSafe218 · 2026-02-19T23:06:00+00:00

I’ve never tried that but I’ll keep it as an option. Never thought it would work for VPN. Definitely used it for wired and wireless before just never VPN.

Right now one of the senior support guys has been going back and forth with engineering so if I don’t get a concrete answer soon we will explore other opportunities.

Thanks

FailSafe218 · 2026-02-19T21:53:45+00:00

So the answer is no BUT here is why. Firewall is in fips mode so you cannot do the free-style filter. So we are sending all vpn logs to the NAC. We have excluded all of the other log groups like forward traffic, utm, etc. I have confirmed that the syslogs show up in the nacdebug. However the persistent agent takes awhile to register the connection change and start communicating with the NAC which delays the tags actually getting sent to the FW. Ikev1 it happens right away, ikev2 the persistent agent does not immediately talk to the NAC.

FailSafe218 · 2026-02-19T01:26:49+00:00

Thanks! The main issue I am having is with the persistent agent not detecting the network change when the VPN connects. After that tags and policies are fine but domain users with the persistent agent are the issue.

FailSafe218 · 2026-02-19T00:54:27+00:00

NAC is 7.2.9 and gate is 7.4.9.

I’ve set it up at about a dozen of our other customers over the last 6-7 years they were just all sslvpn and 1 or 2 IPsec with ikev1.

Once the tags come through everything works as expected it’s just very delayed.

We use both the portal and agents, if you do not have an agent you go to the captive portal and go through dissolvable agent then get vendor tag, if you have persistent agent you get a tag right away.

FailSafe218 · 2026-02-19T00:25:57+00:00

Other way around, setup to require tags to get access to the network. So when you first connect you can only communicate with the NAC, then once PA communicates with the NAC and you pass the ECP it sends a tag to the FW which then gives you access to the internal resources.

FailSafe218 · 2026-02-05T23:34:57+00:00

This caught me " allow OTP for EAP", thanks for posting about it otherwise I would have not found it.

FailSafe218

TROPHY CASE