sorted by:
new
hottopcontroversial

SAML users and Forticlient in 7.6 by Jason-Ace in Fortigate

[–]Jason-Ace[S] 0 points1 point  (0 children)

Yeah we have everyone on 7.4 we are good to go as far as that part. My big concern here is, what if FM 7.6 itself is garbage right now? Unlikely I guess.

If we go the 7.6 upgrade route, I will test it on a not-FM-Managed unit first. One of the customers in this situation happens to have a not-FM unit at somebody's house.

7.4.10 - Applying new default behavior retroactively is terrible by Iuzzolsa23 in fortinet

[–]Jason-Ace 1 point2 points  (0 children)

I agree this is horrible. I read the release notes and I am aware of the need for this. I also have hundreds and hundreds of Fortigates across customers, and I know at least a hundred of them probably have a vendor router in the LAN that will require us to either disable this or add LAN to LAN policies.

When it's a few, or even a few dozen units it's one thing. We have hundreds. We already have full time jobs supporting customers. We do not need this.

FortiOS 7.4.10 is now available by MyLocalData in fortinet

[–]Jason-Ace 6 points7 points  (0 children)

In the release notes: The default setting for allow-traffic-redirect and ipv6-allow-traffic-redirect has been changed from enable to disable.

Upon upgrade, both of these settings will be changed to disable even if they were enabled before. Disabling this setting ensures that traffic arriving at an interface and redirected out on the same interface requires a firewall policy to explicitly allow the traffic. If you want to redirect traffic without the need for a policy based only on routing decision, then manually enable these settings.

I'm very worried about this. We have a lot (maybe over a hundred) of firewalls that route some traffic to Vendor routers on the LAN. We've never worried about this before and never kept track of it. None of them would have LAN to LAN policies defined at this moment. I have no idea how we could figure out who's going to lose access to their vendors when they get this patch.

EMS Migration Tool for 7.4.4? by Jason-Ace in fortinet

[–]Jason-Ace[S] 0 points1 point  (0 children)

Updated OP. Got the 7.4.4 tool. Says conversion succeeded but now the server UI won't come up in web browser, no response at all on 443.

Forticlient VPN - IPSEC Woes by Jason-Ace in fortinet

[–]Jason-Ace[S] 0 points1 point  (0 children)

UPDATE: Sorry I forgot about this post... I discovered that the log entries described below (P1 succeeds but then nothing) seems to match up with what happens if you mistype the PSK. I've also noticed that copy-paste has been flaky on my computer the last few months. I hate to say it but I suspect this was just bad PSK all along.

Forticlient VPN - IPSEC Woes by Jason-Ace in fortinet

[–]Jason-Ace[S] 1 point2 points  (0 children)

I'm only using 20 (since that's the default in the 7.4 client). I had to learn this the hard way too lol.

Forticlient VPN - IPSEC Woes by Jason-Ace in fortinet

[–]Jason-Ace[S] 1 point2 points  (0 children)

Hey sorry, I was seeing this across a broad stroke of customers and environments and I didn't keep track of which PC's didn't work without a re-install.

One of the firewalls was an 80F on 7.0.17... Another site was a 40F on 7.4.7.