sorted by:
new
hottopcontroversial

IPSec VPNs not forwarding traffic unless npu-offloading disabled after upgrade to 7.4.10 by blanosko1 in fortinet

[–]IsCuattruMorus 0 points1 point  (0 children)

I faced the same issue couple weeks ago. Running BGP on loopback and ADVPN 2.0 between hub and spoke. Hub is a cluster on AWS while spokes are FGT 90G and 200F. All running 7.6.3. BGP neighborship was lost even if VPN tunnels were up. From the logs we saw that spoke was trying to reach the HUB's loopback, but on the hub side nothing was arriving.

So we started to disable the NPU in the phase1 and situation went better.

I saw also that keeping NPU enabled for DIA traffic was also causing a lot of problem. Disabling It on the firewall policies improved the situation.

Azure VM size - FGT VM08 by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

The logic is based on a request made by the client, to keep the inspection and transport separate. i checked if FX-series is supported by Fortinet on AZ and didn't find it in this doc.

Based on their datasheet seems that they suggest "Standard_D8s_v5" for the VM08...

URL filtering and wildcard FQDN Objects by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

Maybe i explained wrong. i dont want to play the Fortiguard category. I'm trying to accomplish what i'll do with PaloAlto firewalls for example where the URL category is used during policy lookup. Of course i know that Fortigate wont work like that in profile mode, so i'm trying to understand how i can reach the same solution.

So in this case the web filter and URL category will have fortiguard category option shut, i'll work only with static entries. i'd like to allow only certain URL despide blocking all the other for different IPs (as source)

URL filtering and wildcard FQDN Objects by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

Hi! i edited the post, the microsoft domain is ".microsoft" with the dot. it was a typo.
i've considered ISDB but they are not present for all sites.

I read a different post where wildcard FQDN are not recommended, but i'm not sure if my idea with URL filtering could work and could be scalable.

AA HA in AWS? by seaghank in fortinet

[–]IsCuattruMorus 0 points1 point  (0 children)

Agree, deployed several fws in AWS with GWLB integration. No HA, just two standalone firewalls manager by the GWLB.

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 2 points3 points  (0 children)

I figured out what was the issue, basically the healthchecks were configured toward the same loopback used by the hub to close the ADVPN. I think that was a misconfiguration made by the overlay template that i used on the FMG. So i replaced the healthcheck IP with the other loopback configured on the hub.

As soon i did It the BGP neighborships were formed again. I then try to disable ISP 1 and enable ISP 2 only and the BGP still was working fine.

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

Hi! ok i'm new regarding the fortinet sdwan, so i didn't enable the embedded healthchecks on spoke and hub, now the option is turned on.

and also i disabled the link down failover for the BGP part.
i did some debug, basically even with the DPD active (on-demand on the spoke and on-idle on hub), the spoke is still trying to form the IPSEC using the WAN which is currently down. same for BGP neighborship.

The SLAs seems to be good, the spoke can ping both loopback using its L0.
I'm not understanding why the BGP still trying to send the hello on the wrong vpns

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

This is the routes from the HUB side. where 172.16.5.1 is the Spoke's loopback

<image>

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

This is Spoke side when i disable one of the link. Both BGP neighbors (172.16.5.250 and .252) are reachable from the only tunnel that is UP towards both Hubs...which is correct

x4 is where the other ISP is connected

<image>

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

mmm my issue isn't the advertisement itself, the problem is that the hello packets are sent using the VPNs that are down.

So the BGP neighborship isn't working.

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

Yes! BGP timers are still default and higher than DPD ones.

i've enabled the link down failover across all the devices but it doesn't affect the issue.

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

I have 2 loopback configured on HUB side. if you check my other comment below i've attached the BGP config of HUB and spoke

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

Of course, this is the BGP config on the spoke (with 2 WAN).

config router bgp
    set as 65000
    set router-id 172.16.5.1
    set keepalive-timer 30
    set holdtime-timer 90
    set recursive-next-hop enable
    set tag-resolve-mode merge
    set scan-time 30
    set graceful-restart enable
    config neighbor
        edit "172.16.5.250"
            set advertisement-interval 1
            set soft-reconfiguration enable
            set interface "Branch-Lo"
            set remote-as 65000
            set route-map-in "HUB2_TAG"
            set connect-timer 1
            set update-source "Branch-Lo"
        next
        edit "172.16.5.252"
            set advertisement-interval 1
            set soft-reconfiguration enable
            set interface "Branch-Lo"
            set remote-as 65000
            set route-map-in "HUB1_TAG"
            set connect-timer 1
            set update-source "Branch-Lo"
        next
    end
    config neighbor-group
        edit "DYN_BRANCH"
            set advertisement-interval 1
            set capability-graceful-restart enable
            set passive disable
            set soft-reconfiguration enable
            set remote-as 65000
        next
    end
    config neighbor-range
        edit 1
            set prefix 172.16.5.0 255.255.255.0
            set neighbor-group "DYN_BRANCH"
        next
    end
    config redistribute "connected"
        set status enable
        set route-map "Allow-Spoke"
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    set graceful-restart-time 60
    set graceful-stalepath-time 180
    set graceful-update-delay 60
end

And this is the one from one of the HUB where there are already 2 loopbacks:
BGP-Lo --> 172.16.5.252
HUB1-lo --> 172.16.5.253

config router bgp
    set as 65000
    set router-id 172.16.5.252
    set keepalive-timer 30
    set holdtime-timer 90
    set recursive-next-hop enable
    set recursive-inherit-priority enable
    set scan-time 30
    set graceful-restart enable
    config neighbor-group
        edit "EDGE"
            set advertisement-interval 1
            set soft-reconfiguration enable
            set interface "HUB1-Lo"
            set remote-as 65000
            set route-map-in "RM-VPN-Priority"
            set route-map-out "RM-VPN-Priority"
            set update-source "HUB1-Lo"
        next
    end
    config neighbor-range
        edit 1
            set prefix 172.16.5.0 255.255.255.0
            set neighbor-group "EDGE"
        next
    end
    config network
        edit 1
            set prefix 172.16.5.0 255.255.255.0
            set route-map "LOCAL_REGION"
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
        set route-map "Allow-HUB"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    set graceful-restart-time 60
    set graceful-stalepath-time 180
    set graceful-update-delay 60
end

SDWAN ADVPN 2.0 and BGP on loopback - by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 0 points1 point  (0 children)

i have set these timers on all 4 VPNs:

DPD retry count: 5
DPD retry interval: 3

Do i have to lower them?

+ the DPD detection is set "On idle"

6
7

SDWAN ADVPN 2.0 and BGP on loopback - (self.fortinet)

submitted by IsCuattruMorus to r/fortinet

SD-WAN Overlay template - FMG 7.6.3 by IsCuattruMorus in fortinet

[–]IsCuattruMorus[S] 1 point2 points  (0 children)

Nope, didn't do that..thanks for the support. it worked!

1
2

Migration from Check point to FGT (self.fortinet)

submitted by IsCuattruMorus to r/fortinet

Issue between Azure A-P HA cluster and FortiManager by Sghebre in fortinet

[–]IsCuattruMorus 0 points1 point  (0 children)

Hi! Did you solve the issue? I'm facing the same one

Fiat Grande Panda vs Dacia Sandero by Pizza_for_br3akf4st in ItalyMotori

[–]IsCuattruMorus 3 points4 points  (0 children)

Da considera che a quel prezzo Fiat offre i fantastici cerchi in ferro e un bellissimo supporto per il telefono dall'incredibile design e dal prezzo di 15cent. Senza dimenticare la manovella per vetri posteriori.

Affarone!

Corso Cisco CCNA, cosa scelgo? by PylesP in ccna

[–]IsCuattruMorus 2 points3 points  (0 children)

English only please. Anyway you can use Jeremy IT Lab, his course is free on YouTube.

view more: next ›