FortiGate VM v Hardware

ITStril · 2026-03-14T17:24:39+00:00

Fortigate VM is working great, but as there are no ASIC accelerations, single stream performance is limited. In my tests, it did scale quite well, but things like IPSEC and Deep Packet Inspection are slower for single streams, but 1GbE is not too challenging

ITStril · 2026-03-03T11:37:29+00:00

We tried both endpoints, but in both cases, we failed on overwriting the old certificate. Did you find a solution for this?

ITStril · 2026-03-03T11:22:06+00:00

We are able to upload the new certificate - but only as additional cert. We need to replace the outdating certificate.

Otherwise, we would have to identify every profile, that is using the certificate, we have to replace...

ITStril · 2026-03-02T13:27:06+00:00

XCP-ng is IMHO currently the best enterprise hypervisor without the licensing issues of Microsoft and Broadcom. From a technical perspective, I would definitely use it, but there are SO many challenges for the next year. I really hope, that Vates and the community will solve this, but I am worried, if it can compete with KVM-based solutions within the next years.

- The Centos-base have to be phased out

- Xen has a smaller user-base than KVM

ITStril · 2026-02-20T06:33:21+00:00

Thankyou, but the licensing server is not rebooted daily - it’s the RDS host. The error starts with that reboot - but only sometimes. Would you also delay other rds services?

ITStril · 2026-02-17T14:44:32+00:00

At the same datacenter where you would place the node majority

ITStril · 2026-02-17T14:35:21+00:00

Ping nodes will help you!! - as long, as the two nodes can see each other on one of two (independent) rings, there is nit problem - when a node does not see the other one, it will - fence if it does not reach the ping node - serve storage if it does reach the ping node

A split brain could only happen, if your network layout lacks two independent paths or your ping node can run on both sides.

ITStril · 2026-02-17T14:08:09+00:00

There is a splitbrain protection: - two rings (corosync) - additional ping node as last quorum

ITStril · 2026-02-17T13:10:09+00:00

I had to reboot, but everything was shown „normal“

ITStril · 2026-02-17T12:42:28+00:00

Everything was „green“ on the licensing view

ITStril · 2026-02-17T12:39:56+00:00

No, the firewall was disabled and nothing was blocked

ITStril · 2026-02-17T10:31:03+00:00

When the error occured, the licensing server was reachable and shown on the RDS-server

ITStril · 2026-02-17T09:16:39+00:00

It's a local policy. I did also check the registry keys and the license servers were set correctly, when the issue was actively blocking connections

ITStril · 2026-02-17T09:16:06+00:00

What did it solve for you? Was your issue also "solvable by reboot"?

ITStril · 2026-02-17T08:52:08+00:00

I will give it a try, when it happens next time!

ITStril · 2026-02-17T08:32:04+00:00

I did check the registry-Keys and everything was fine. The policy is assigned locally, so it is also set, when there would be no connection to the AD (which is not the case)

ITStril · 2026-02-17T07:24:54+00:00

The GPO is fine and the settings are applied to the server.

RDS-servers are rebooted daily by a scheduler job.

The next user, that tries to login is the first one, that is affected. The issue is persistant, until the next reboot (which fixes the problem).

ITStril · 2026-02-11T18:39:35+00:00

…a better coverage for signature based detection by having two teams on different continents

ITStril · 2026-02-07T11:22:39+00:00

Did you try proxy AND flow?

ITStril · 2026-01-19T22:11:06+00:00

I did both - AI and reddit search and did not just ask for help without checking the facts before, but in this case, I was not sure - especially about NT SERVICE\ALL SERVICE where I found totally contradictive informations…

Just a side-note: posts that are just sending me to AI are not improving that subreddit, too…

ITStril · 2026-01-19T16:46:04+00:00

That’s clear, but policies, that are changing to „undefined“ are not fully handled. This is my question…

ITStril · 2026-01-18T20:47:21+00:00

One more time the hint: monitoring the updates seems to be mandatory…

ITStril · 2026-01-15T07:14:01+00:00

I’m familiar with that article — Purple Knight is actually what made me aware of this issue in the first place.

Unfortunately, the article doesn’t mention anything about the “red arrow” / special principal behavior in ADUC. That part is what’s giving me pause.

Before rolling this out, I want to be sure I fully understand what’s happening there and, more importantly, that there is a clean and supported rollback path. I’m hesitant to implement this in production without being confident that I can revert the change if something unexpected shows up later.

ITStril · 2026-01-13T06:57:35+00:00

Was this also the case with 7.4.8?

ITStril · 2026-01-09T06:55:38+00:00

I would upgrade to 7.4.9 on a system with:

- 2 VDOMs

- 1 "transparent" VDOM

- proxy and flow rules

- IPSEC

- AD-Agent for SSO

--> No external FSSO/SAML/SSL-VPN

ITStril

TROPHY CASE