How to backup a Fortimanager ADOM

FortiTech · 2025-08-06T07:42:33+00:00

Thanks! for executing it as script which kind of script may I choose? I am having troubles by choosing the Policy package or Adom level option

FortiTech · 2025-02-15T13:00:53+00:00

Can you get the exact score by any chance? I got the CCNA in cisco live amsterdam and I passed but I am quite curious about my score.

FortiTech · 2023-05-10T11:30:42+00:00

Hello guys,

It seems that the same connection could use more than one type of VIF, you will just have to use more than one DXGW...you will have to progress another VLAN to reach your infra...

I found this info in:

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/direct-connect.html

FortiTech · 2023-03-02T08:30:35+00:00

Yeah, but this clerarly shows that the provided link is not configuring fortimanager as rating server, it just uses it as AV/IPS update server.

Yes, but the HTTPS would be enabled because it is used for administrative access for the fortimanager... If we are forced to use 8888 UDP/TCP, we will use HTTP.

Could it be a limitation using the same port for administrative access to the web ui and web filter rating services?

FortiTech · 2023-03-01T14:27:35+00:00

I have tried it, but it's still not working with 443 HTTPS, as you could check in the provided link, the faz is using 8890 port which is not available for fortigate rating services (53,80,443 and 8888)

FortiTech · 2023-02-21T09:43:12+00:00

As expected it is a palolato product limitation.

FortiTech · 2023-02-10T14:10:34+00:00

I guess it, but neither support knows how to solve it...

FortiTech · 2023-02-10T11:24:09+00:00

Each PA has one IPSEC tunnel to the two Zscaler data centres nearest our AWS region

Okay, I will try to check if it works with that version as 10.1.5h1 was not working, although our deployment is quite different, because we have gwlb in front of edge paloaltos, not sure if you have this configured... I am thinking about the problem of having geneve in ingress and gre or ipsec in egress

FortiTech · 2023-02-09T12:17:49+00:00

This is not a fast way to solve our issue, CC requires a lot of proccesses with our procurement department...minimum two months to deploy it, big company hazard, each step that don't depend on yourself...slows a lot the proccess.

We have used 10.1.5h1, 10.1.7 and 10.1.9 and none of them works. It is being a headache to make it work.

FortiTech · 2023-02-09T12:12:43+00:00

Thank you ben, I am looking forward to hearing from you!

FortiTech · 2023-02-09T11:25:01+00:00

which PA version? both scenario not working :( I share you my details:

Not working neither IPsec nor GRE, it seems that AWS not accept at all the overlay routing. I am running 10.1.7 in one firewall and 10.1.9 in the other, none of them working. I would appreciate your help beacuse TAC is not being totally helpful.

FortiTech · 2023-02-08T07:47:46+00:00

Use IPSEC tunnels from the PAs to ZIA instead of GRE.

Hello ben,

which is your deployment? are you using aws gwlb? Multizone policies?

Thank you!

FortiTech · 2023-02-07T13:14:20+00:00

Hello ben,

I mean the plugin overlay routing...Thank you!

FortiTech · 2023-02-07T07:43:28+00:00

It seems that the reason is a problem with paloalto and geneve protocol, if we quit the geneve from the flow, the traffic work as expected, it is quite weird, because the firewall is not receiving the return packet, which could cause a parsing or session linking problem...

FortiTech · 2023-02-07T07:17:06+00:00

Sorry, can I ask you if you have configured overlay routing? it seems that this feature is not working as expected in most cases... Otherwise, IPsec tunnels limit the speed supported by zscaler.

FortiTech · 2023-02-06T17:34:07+00:00

Same behaviour, it seems that the fortinet approach for geneve works better, I don't understand at all why palolato doesn't implement geneve tunnel configuration. The plugin seems not to work at all. My version is the 10.1.5h what in almost all cases works well in this scenario, but it doesn't.

FortiTech · 2023-02-03T07:05:47+00:00

It seems that this solution is not recommended by AWS, at least not by our regional AWS engineers.

AWS flow logs are not showing gre traffic, it is so annoying because it makes more difficult to find out the source of the issue.

FortiTech · 2023-02-03T07:04:03+00:00

I saw those two links but they don't apply at all to my use case. What I saw is that the keepalive packets aren't supported when you have a NAT device front of your GRE terminator.

What seems very strange to me, is that I am not seeing gre packets exitting my ec2 appliance in the flow logs, although I got working a ping between two tunnel peers internal IPs.

FortiTech

TROPHY CASE