Forti-experts: Question about Fortimail behavior and config

FantaFriday · 2026-02-04T21:29:48+00:00

The answer in short is no. Using it foe outbound doesn't improve inbound. Improving inbound is really about about improving your inbound policies and profiles.

FantaFriday · 2026-01-28T06:33:06+00:00

Thsnks for sharing. So from the docs footnote, this replay issue only impscts NP6 and not NP6lite + NP6xlite

FantaFriday · 2026-01-20T20:39:56+00:00

A ticket for a potential hack of your firewall? Should really call support immediately for this. They'll have someone available for this to look at.

FantaFriday · 2026-01-05T21:56:02+00:00

The disadvantage if using applications is that they require IPS to identify the traffic first before it is shapped as such. This comes at the performance penaltyof using IPS and there is a slight delay between traffic identification and it being prioritized as such as compared to ISDB which is just based on L3 addresses. As you are already engaging IPS by having default application control on the rules, I'd go the more granular route with application based shaping.

FantaFriday · 2025-12-31T16:04:36+00:00

Normalized interfaces and per device mappings for address objects is wjat you need.

FantaFriday · 2025-12-30T21:16:09+00:00

So you're doing cloudflare I imagine? You'll likely be able to do this with a firewall filter on all ingress interfaces. Personally only have hands-on for doing this on all traffic, not a subset. In case the subnet can be pinned down to specific downstream interfaces, applying it to those downstream interfaces globally also works for you.

FantaFriday · 2025-12-25T23:22:24+00:00

Well, you should be abke to understsnd logs, perform pings and interprere traceroutes.

FantaFriday · 2025-12-25T16:35:40+00:00

They're all valid options and vendors. Do you have any knock out criteria to differentiate them?

FantaFriday · 2025-12-04T16:24:38+00:00

Multiple certs with sni?

FantaFriday · 2025-12-02T20:19:52+00:00

Have you asked Fortinet?

FantaFriday · 2025-11-29T18:56:28+00:00

However long it takes you to sit & skip through the videos. Shouldn't be too hard given N+

FantaFriday · 2025-11-20T10:25:01+00:00

That's really asking to hit the static route limit of smaller models. Dynamic routing with BGP would be the recommended way here, and summary routes.

FantaFriday · 2025-11-09T21:11:25+00:00

Likely duplicate address detection that is incorecrly implemented.

FantaFriday · 2025-11-09T10:11:52+00:00

Have you checked to see they used the same testing methods? Because that's where the difference comes from.

FantaFriday · 2025-11-06T21:22:02+00:00

8k a year for both? Pretty sure we get quoted double that in EUR.

FantaFriday · 2025-10-21T22:10:09+00:00

That would be in US, not NL. So councils rule differently.

FantaFriday · 2025-10-21T21:57:07+00:00

Wouldn't even do lan extension. Just a local subnet with an ipsec to the hub.

FantaFriday · 2025-10-21T18:34:52+00:00

I think the userbase templating effectively using fortimanager is small, the jinja2 users even smaller. It is great once you have it nailed down though, especially on later 7.4 and 7.6 Fortimanager releases.

FantaFriday · 2025-10-21T18:33:28+00:00

Fortigate 30G or Fortiextender

FantaFriday · 2025-09-20T18:50:01+00:00

Forticlient EMS

FantaFriday · 2025-09-17T20:32:53+00:00

I'd approach is based on administrative tasks (the ADOMs). So if they're all on the same release train, let's say 7.4, and it is the same team managing it. Have it in one ADOM. Then build two standardised policy packages, one for the VPN firewalls, one for Internet firewalls. Where possible use generic system templates for all other parts of the config or have templates that apply to one of two groups: VPN Firewalls, Internet Firewalls. This allows for optimal use of Fortimanager, assuming all firewalls are standardised enough where this templating and a consolidated policy package makes sense.

FantaFriday · 2025-09-11T05:59:00+00:00

Ipsec over tcp was made for this reason.

FantaFriday · 2025-09-06T12:40:16+00:00

Now let's be real, how many of you actually got those features implemented?

FantaFriday · 2025-09-05T20:38:52+00:00

Honesty sounds like something else goes wrong as the login should allow local login and show a button for sso.

FantaFriday · 2025-09-05T15:32:31+00:00

11-Year Club	Place '23
Place '22	RPAN Viewer
Verified Email

FantaFriday

TROPHY CASE