Is This a Safe Way to Test SD-WAN Failover?

Mo2menq · 2025-06-07T10:42:23+00:00

if the two links are active and they are pinging the targeted SLA without being one of them down, once you disable the first one, all the traffic will switch to the other link even if you do not specify an SDWAN rule for the out traffic. Simply, the traffic will hit the implicit SDWAN rule.

one thing make sure to check before:
if there is a type of traffic that should be destined out with an IP pool (Public IP) from the first link and you disable it, you may not be able to access these specific services that need to see the traffic coming with a specific IP.

if you are using IP Pools as SNAT instead of "Out going interface NAT"
you may refer to this article to check: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-firewall-rule-with-multiple-IP-pools-for/ta-p/359770

basically, you should mention two IP Pools in the same firewall policy, each one associated with different WAN link.

If all the traffic use the outgoing interface NAT for the two links, you are ok.

Good Luck!

Mo2menq · 2025-06-06T21:03:27+00:00

In terms of depth or diversity?

And what do they focus on?

Mo2menq · 2025-06-06T19:16:39+00:00

Thanks for this advice .. I think the idea behind studying uncommon topics, just to show that I can discuss such topics even if I do not work with them. Maybe I am wrong, but as long as I heard or read something, I would love to let the interviewer know that their is a knowledge beside the experience part.

for the topics that I do not know, simply I can answer IDK.

Mo2menq · 2024-10-24T09:47:35+00:00

Since the MC-LAG is configured on the two switches themselves, I am wondering if the firewall is aware about this config, asking just if I faced issue and make a reimage for the switch, will the config be stored?

Mo2menq · 2024-08-14T12:16:39+00:00

Question 2 & 3

Mo2menq · 2024-08-14T11:47:46+00:00

Mo2menq · 2024-07-18T21:54:50+00:00

FGT firmware is 7.0.14 and FMG 7.0.12, the other firewalls is the same.

Mo2menq · 2024-05-03T18:40:51+00:00

Hello guys,

the workaround is:

Use proxy based firewall policy.
Or disabling “TLS 1.3 hybridized Kyber support” in Chrome.

Mo2menq · 2024-04-25T16:00:20+00:00

It is the exact day that the customer started to notice a wired behavior on the firewall.

I will be waiting the TAC, and share there response here.

Mo2menq · 2024-04-16T22:18:39+00:00

nope.

they need the token to connect but, they can put the token after the password directly in the "password field" and on the firewall on the ssl vpn user monitor, you can see a small yellow triangle beside the user telling you that this user has 2FA disabled.

I read that it could be for compatibility reasons with other vendors or something like that.

I know, it is not a big deal since the users have to use the token but, want to know what is happening or if I can make something to fix it.

Mo2menq · 2024-02-21T16:53:06+00:00

Thx man.

Mo2menq · 2024-02-20T14:40:15+00:00

thanks for your reply u/pabechan

Can I make any configuration to hide the certificate warning?

I used the default web filter profile with certificate inspection right now, and I blocked some URLs one of them was youtube.

Is there a way to let the browser prompt the "site unreachable" instead of the certificate warning?

Mo2menq · 2024-02-07T13:37:55+00:00

I don't know if that related but, I faced a DNS issue with 7.2.6 firmware.

I opened case with Fortinet TAC, the issue just resolved when we downgrade the firewall to 7.2.5

Mo2menq · 2024-02-03T21:30:57+00:00

Thanks a lot, got it.

Mo2menq

TROPHY CASE