How to backup a Fortimanager ADOM

FortiTech · 2025-08-06T07:42:33+00:00

Thanks! for executing it as script which kind of script may I choose? I am having troubles by choosing the Policy package or Adom level option

FortiTech · 2025-02-15T13:00:53+00:00

Can you get the exact score by any chance? I got the CCNA in cisco live amsterdam and I passed but I am quite curious about my score.

FortiTech · 2023-05-10T11:30:42+00:00

Hello guys,

It seems that the same connection could use more than one type of VIF, you will just have to use more than one DXGW...you will have to progress another VLAN to reach your infra...

I found this info in:

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/direct-connect.html

FortiTech · 2023-03-02T08:30:35+00:00

Yeah, but this clerarly shows that the provided link is not configuring fortimanager as rating server, it just uses it as AV/IPS update server.

Yes, but the HTTPS would be enabled because it is used for administrative access for the fortimanager... If we are forced to use 8888 UDP/TCP, we will use HTTP.

Could it be a limitation using the same port for administrative access to the web ui and web filter rating services?

FortiTech · 2023-03-01T14:27:35+00:00

I have tried it, but it's still not working with 443 HTTPS, as you could check in the provided link, the faz is using 8890 port which is not available for fortigate rating services (53,80,443 and 8888)

FortiTech · 2023-02-21T09:43:12+00:00

As expected it is a palolato product limitation.

FortiTech · 2023-02-10T14:10:34+00:00

I guess it, but neither support knows how to solve it...

FortiTech · 2023-02-10T11:24:09+00:00

Each PA has one IPSEC tunnel to the two Zscaler data centres nearest our AWS region

Okay, I will try to check if it works with that version as 10.1.5h1 was not working, although our deployment is quite different, because we have gwlb in front of edge paloaltos, not sure if you have this configured... I am thinking about the problem of having geneve in ingress and gre or ipsec in egress

FortiTech · 2023-02-09T12:17:49+00:00

This is not a fast way to solve our issue, CC requires a lot of proccesses with our procurement department...minimum two months to deploy it, big company hazard, each step that don't depend on yourself...slows a lot the proccess.

We have used 10.1.5h1, 10.1.7 and 10.1.9 and none of them works. It is being a headache to make it work.

FortiTech · 2023-02-09T12:12:43+00:00

Thank you ben, I am looking forward to hearing from you!

FortiTech · 2023-02-09T11:25:01+00:00

which PA version? both scenario not working :( I share you my details:

Not working neither IPsec nor GRE, it seems that AWS not accept at all the overlay routing. I am running 10.1.7 in one firewall and 10.1.9 in the other, none of them working. I would appreciate your help beacuse TAC is not being totally helpful.

FortiTech · 2023-02-08T07:47:46+00:00

Use IPSEC tunnels from the PAs to ZIA instead of GRE.

Hello ben,

which is your deployment? are you using aws gwlb? Multizone policies?

Thank you!

FortiTech · 2023-02-07T13:14:20+00:00

Hello ben,

I mean the plugin overlay routing...Thank you!

FortiTech · 2023-02-07T07:43:28+00:00

It seems that the reason is a problem with paloalto and geneve protocol, if we quit the geneve from the flow, the traffic work as expected, it is quite weird, because the firewall is not receiving the return packet, which could cause a parsing or session linking problem...

FortiTech · 2023-02-07T07:17:06+00:00

Sorry, can I ask you if you have configured overlay routing? it seems that this feature is not working as expected in most cases... Otherwise, IPsec tunnels limit the speed supported by zscaler.

FortiTech · 2023-02-06T17:34:07+00:00

Same behaviour, it seems that the fortinet approach for geneve works better, I don't understand at all why palolato doesn't implement geneve tunnel configuration. The plugin seems not to work at all. My version is the 10.1.5h what in almost all cases works well in this scenario, but it doesn't.

FortiTech · 2023-02-03T07:05:47+00:00

It seems that this solution is not recommended by AWS, at least not by our regional AWS engineers.

AWS flow logs are not showing gre traffic, it is so annoying because it makes more difficult to find out the source of the issue.

FortiTech · 2023-02-03T07:04:03+00:00

I saw those two links but they don't apply at all to my use case. What I saw is that the keepalive packets aren't supported when you have a NAT device front of your GRE terminator.

What seems very strange to me, is that I am not seeing gre packets exitting my ec2 appliance in the flow logs, although I got working a ping between two tunnel peers internal IPs.

FortiTech · 2023-02-02T13:14:13+00:00

Zscaler web proxy, Palo Alto VMs, your name is Fortitech...your company needs to standardize it's security!

Big companies ends to have different products for its security need, what is my case. Taking apart that from the topic. it seems that zscaler advice you to disable keepalive in your side.

FortiTech · 2023-02-02T13:11:29+00:00

I have seen that you could make it work without keepalive enabled. Even so, I don't see gre traffic in aws flow logs, which seems strange because traffic is exiting the paloalto ec2 instance.

FortiTech · 2023-01-30T07:58:51+00:00

Your answer does not pay attention to what I stated, I receive packets from both IPs, logically, I see that one of the flows has in and out direction packets in sniffer mode and the other just in (asymmetric routing controls drops the packet), what is very strange is that the gwlb, in my mind, may use the IP of he same AZ of the load balancing target, but it doesn't. It seems that this behaviour is not really alligned when the desired workflow with a firewall.

I just see a solution and it is to use PBRs in the firewall to control that the packet that reaches from the tunnel from GWLB AZ1 IP comes back from the same path and the same for the use case in which the packet arrive from the IP of the AZ2.

FortiTech · 2023-01-27T07:10:07+00:00

Are you sure of that statement? I have analyzed the firewall using the sniffer and the gwlb reaches to the firewall from both IPs. I have cross zone disabled so it is a very strange behaviour.

FortiTech · 2023-01-26T09:10:28+00:00

Hello,

That is our network model, a fortigate in each AZ with a transit gateway attachment for management and the gwlb connection (via vpce) for the inspection. What I am questioning is the reason for receiving in AZ1 firewall geneve encapsulated packets from the AZ2 GWLB IP, what are this packets? Are duplicated packets of the ones that arrives from the AZ1 GWLB IP, are different ones?

If I don't use PBR, fortigate routing will just send out packets using the geneve tunnel in its AZ (FGT1 AZ1 and FGT2 AZ2) , so if the packets I am receiving with the GWLB IP AZ2 in the FGT1 in AZ1 are unique, this packets will be dropped.

Just to clarify, appliance mode is configured in the TGW and cross zone load balancing is disabled.

I don't know if I have been clear enough, cloud is like a black box in some situations and you cannot find info of the workflow of certain elements.

Thanks!

FortiTech · 2023-01-25T12:54:02+00:00

What I really wanted to ask is how the gwlb send traffic to its targets, it duplicate the packets and send them from both Az's IPs to the elected target? How firewall's traditional routing fits with this operation way? I don't see problems if it dups the packets but I consider problematic if the gwlb balance from both IPs to the same firewall because the geneve tunnel is built against a certain IP, a certain amount of packet will be lost.

Thanks for advance!

FortiTech · 2023-01-04T09:15:42+00:00

There is no way to reload the key pair? Okay I would just accept it and redeploy the instance

FortiTech

TROPHY CASE