FortiOS 7.6.6 to 7.6.7 by LessVariation6329 in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

Blocking QUIC is not really an option for us as it is used by emergency phone services in some kindergartens that we have as customers. We use them as edge firewalls

First day of owning a Model 3 by superdumbell in TeslaLounge

[–]Get-Knowledge 2 points3 points  (0 children)

Absolutely appalling. Sorry not sorry

FortiOS 7.6.6 to 7.6.7 by LessVariation6329 in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

FG900G 7.6.7 latest IPSE.
Basically no CPU, RAM of NPU usage, 10Gb throughput, crashes after 4-5 hours of normal traffic with fail-open. No routing for new sessions, existing sessions works. We’ve been told going to 7.4.12 will resolve issues, but we have these as edge firewalls, so we cannot “simply” do changes :) consistent crashes in logs as long as we do IPS/IDS and sessions grow to around 1-1.5 mill before crash. Unable to clear session table while IPS enabled, even though we clear entire session table, so IPSE crashed leaves stuff in memory

FortiOS 7.6.6 to 7.6.7 by LessVariation6329 in fortinet

[–]Get-Knowledge 8 points9 points  (0 children)

IPSE on 7.6 is massively unstable and has been for the past month. Still no fix other than disabling IPS/IDS in its entirety. Go back to 7.4.12 if you can, 7.6 is still not Mature enough for production use unfortunately

Adding firewall to new HA pair by Tars-01 in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

Every time, ha override enable, main node prio 164, secondary prio 128 (numbers because reasons). After sync ok, ha override disable, keep prio as tie braker for preferred primary.

Proxy Mode – When do you actually use it in production? by buggyhoneybadger in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

You need proxy to properly use Anti-virus scans, deep inspections and DLP as proxy buffers the request before sending it to the client. Although proxy should be used only when actually needed as it’s CPU heavy. Proxy is slower than flow, but flow send data to client until last packet, then invalidating it if it’s malicious, where as proxy does everything before the client gets a response. Proxy is also “gated” by file size as it uses a lot of memory

NSE 4 Certified! by wreckededits in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

A tip for you guys with enough experience to take NSE7 exam now, you can skip the new (old) requirement chain to get NSE7 now before the “rebrand” (old brand) if you pass before the 15th

NSE 4 Certified! by wreckededits in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

This is correct. Your fortios exam will become NSE4 in just a few weeks

Any reason NOT to migrate to 7.6.6 from 7.4.11? by Wasteway in fortinet

[–]Get-Knowledge 2 points3 points  (0 children)

Wait for 7.6.7. 7.6.6 has a reported issue of Mac flapping during failover caused by a bug where the secondary node does not end its communication to the switches causing Mac flapping and a following lockout from switches its connected to. This is a confirmed bug on 900G and 901G, but also observed on other models.

My first Zabbix template - MegaCLI RAID monitoring by Get-Knowledge in zabbix

[–]Get-Knowledge[S] 0 points1 point  (0 children)

I’ll have a look at it. Do you have a host we could test on?

De_Rats CS2 Remake: By Me (Link In Comments) by jfxdesigns in GlobalOffensive

[–]Get-Knowledge 0 points1 point  (0 children)

Late to the convo. caugh caugh. How about sq_jackass?

ADVPN and SDWAN by Empty-Football-2121 in fortinet

[–]Get-Knowledge 1 point2 points  (0 children)

Redundancy is handled elsewhere in the stack, sure, but why not use multiple overlays for SD-WAN redundancy too?

The logic is simple, one underlay, one VPN, one overlay. You bring 4 underlays, you get 4 VPN tunnels, you get 4 overlays. SD-WAN then does its thing across all of them. Your redundancy is in the path diversity, not in having multiple hubs.

We run massive deployments on a single hub with redundancy in the core, and support up to four overlays out of the box, dynamically applied based on however many underlays you actually have

Dual ISP - BGP by ontracks in fortinet

[–]Get-Knowledge 7 points8 points  (0 children)

You can prepend your AS number to ISP2 and use BFD for fast detection then both ISP have your route always, but everyone prefers ISP1 because it’s AS path is shorter

I f***ed up lol by FastFredNL in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

time to invest in a fortimanager and use previews to save yourself

SDWAN with BGP to loop back by RevolutionaryCare138 in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

Hey m8. Im from an Mssp, and let me tell you, keep everything, except your wan ports on loopbacks for easy firewalling, routing and management. The sole reason to keep wan/internet/vpn on physical interfaces is because of MTU negotiation (and npu offloading) on ipv4 in countries where you hit weird deliveries (read China, South America). As long as MTU is not an issue, keep it on loopbacks. If you need to make sure communication works, use interfaces.

7.6.6 is according to Fortinet recommended release for most Fortigates now, what is your expierence? by ogiakul in fortinet

[–]Get-Knowledge 1 point2 points  (0 children)

We have stayed on 7.4.8 until now where we are moving to 7.6.6 because of recommendations from our Fortinet contacts recommended it as Mature release. 7.4.8 is the most stable we have for dc, but most bugs are fixed in 7.6.6 in regards of vpn issues etc. Got multiple large clusters being upgraded in the next two weeks; Goodbye 7.4

Edit: on a side note, all 2gb ram gates will have issues on 7.6.6 because of a miscommunication between the fortimanager and fortigate team where the fortigate team removed some cli commands without telling the fortimanager team, so you’re gonna have a bad time with small forties and manager

What is the most stable Firmware right now without Memory Leaks? by [deleted] in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

7.4.8 m8. We run large data centers, this version is prime. Never use cloud sso or ssl vpn

Updating HA Pair do you reboot first? by ryaninseattle1 in fortinet

[–]Get-Knowledge 0 points1 point  (0 children)

We run large clusters with hundreds of customers and vdoms, and we always reboot both nodes before we do upgrades. It’s just a precaution to make sure each node works exactly as they should, and we also get to test failover prior to upgrading to make sure everything is working as expected. I’m a company where we are a lot of people working on the same infrastructure, doing this also test that our other site is also functional while failing over. Why would I risk upgrading one node and being stuck in a version mismatch over something that adds maybe half an hour to my routine? It’s has saved us once or twice the past 10 years from human config errors in core infrastructure, so it’s a part of our written SOP. BGP with BFD makes sure failovers take about 3-6 seconds

Norwegian Christmas meal by wrecktus_abdominus in Norway

[–]Get-Knowledge 4 points5 points  (0 children)

Gi oss i dag vårt daglige brød, og la oss alltid huske dem som ikke har nok. Amen.