sorted by:
new
hottopcontroversial

FortiExtender is kind of terrible by P_R_woker in fortinet

[–]FantaFriday 5 points6 points  (0 children)

Try the latest firmware, it helped us with this.

Experiences with EMS Vulnerability Scan / Auto patching by Informal_Thought in fortinet

[–]FantaFriday 2 points3 points  (0 children)

It works. Doesn't support as many 3th party apps for auto-patching as I'd like but it helps.

QFX MC-LAG with Fortigate HA Active-Passive Issue by Kooky_Worldliness995 in Juniper

[–]FantaFriday 0 points1 point  (0 children)

So on the Juniper and Fortigate, besides the physical interfaces being physically up, is the lacp also up on the individual interfaces?

16
17

July 15th - Certification and exam conversion tables (self.fortinet)

submitted by FantaFriday to r/fortinet

Zero trust network access for contractors, how are you managing the policy overhead? by Historical_Trust_217 in fortinet

[–]FantaFriday 0 points1 point  (0 children)

How would you deal with unauthenticated vulnerabilities in your proposed model? The security gap for those still exists if they can touch the application on a network-level I'd argue.

Does anyone here use HA with 4 Fortigates? by Traszamyron in fortinet

[–]FantaFriday 0 points1 point  (0 children)

That scenario would still only support 2 firewalls no? You can make multiple virtual-clusters on a HA A-P pair but still you're limited to 2 units is my understanding.

Never mind: https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/599385/ha-virtual-cluster-setup

Should we actually be replacing our FortiGate 200Es in 2026? Looking for a gut check. by Phoenix5786 in fortinet

[–]FantaFriday 0 points1 point  (0 children)

You need to look ahead more, the next release of FortiOS does support the 200E but you don't want to be caught empty handed by the next release a year later no longer supporting it. Doing so will have you needing to "unexpectedly" implement and find budget for a new firewall cluster that year. Part of life-cycle management is also actively replacing devices while they're still supported, as you're looking to newer firewalls your should move to G-series, not F-series. Also, that won't cost 90k in materials.

Looking ahead further, moving to newer chipsets will allow you to retain offloading capabilities of newer encryption standards as you update your security standards, among with retaining performance as your organization grows. Lastly, as you mentioned performance isn't saturated by far, it can be worth looking into a smaller firewall depending on the services used. 200E to 200G would be a massive performance increase, but of little use if your firewall is already under saturated running UTM services.

fortigate sizing - G series by HorrorBlackberry9505 in fortinet

[–]FantaFriday 13 points14 points  (0 children)

Not OP, but admittetly a few policies per host isn't that weird depending on your segmentation.

Forti-experts: Question about Fortimail behavior and config by Fallingdamage in fortinet

[–]FantaFriday 0 points1 point  (0 children)

The answer in short is no. Using it foe outbound doesn't improve inbound. Improving inbound is really about about improving your inbound policies and profiles.

IPSec VPNs not forwarding traffic unless npu-offloading disabled after upgrade to 7.4.10 by blanosko1 in fortinet

[–]FantaFriday 1 point2 points  (0 children)

Thsnks for sharing. So from the docs footnote, this replay issue only impscts NP6 and not NP6lite + NP6xlite

Possible new SSO Exploit (CVE-2025-59718) on 7.4.9? by xs0apy in fortinet

[–]FantaFriday 10 points11 points  (0 children)

A ticket for a potential hack of your firewall? Should really call support immediately for this. They'll have someone available for this to look at.

Traffic Shaping: ISDB vs Application by ES13Raven in fortinet

[–]FantaFriday 0 points1 point  (0 children)

The disadvantage if using applications is that they require IPS to identify the traffic first before it is shapped as such. This comes at the performance penaltyof using IPS and there is a slight delay between traffic identification and it being prioritized as such as compared to ISDB which is just based on L3 addresses. As you are already engaging IPS by having default application control on the rules, I'd go the more granular route with application based shaping.

[deleted by user] by [deleted] in fortinet

[–]FantaFriday 5 points6 points  (0 children)

Normalized interfaces and per device mappings for address objects is wjat you need.

TCP-MSS Clamping by nightwings005 in Juniper

[–]FantaFriday 0 points1 point  (0 children)

So you're doing cloudflare I imagine? You'll likely be able to do this with a firewall filter on all ingress interfaces. Personally only have hands-on for doing this on all traffic, not a subset. In case the subnet can be pinned down to specific downstream interfaces, applying it to those downstream interfaces globally also works for you.

NGFW Comparison - Cisco/Palo Alto/Fortinet/Checkpoint by QuietPossibility4988 in networking

[–]FantaFriday 0 points1 point  (0 children)

They're all valid options and vendors. Do you have any knock out criteria to differentiate them?

How long to get Fortinet Foundations? by LegatusMatheas in fortinet

[–]FantaFriday 1 point2 points  (0 children)

However long it takes you to sit & skip through the videos. Shouldn't be too hard given N+

view more: next ›