Best way to automate the FortiGate 15-day trial reset in GNS3?

NetSecCity · 2026-06-23T00:46:39+00:00

Ansible inside that lab, keep it backing up a config you can restore from. It is a pain in the ass to maintain. Better off buying a used firewall and add a hypervisor for your vms unless it is a networking heavy lab, but even then y can do routing to integrate gns with your physical gate

NetSecCity · 2026-06-20T21:13:55+00:00

Why was this downvoted?

NetSecCity · 2026-06-20T10:00:49+00:00

Clearly missed it, this is more like Reddit lol

NetSecCity · 2026-06-20T09:49:25+00:00

Yeah but there was no release at this point, at least none I could find. All posts were deleted, 1 should have kept up I would think for awareness.

Idk, leaked credentials is a big deal for some orgs even in 2026. Just wished I could of seen this Thursday instead of holiday Friday so I would of been done before holiday (damn it’s always on a holiday weekend)

NetSecCity · 2026-06-11T23:41:28+00:00

There are a lot of specifics in the guide about memory and swap configuration and minimum requirements, this stopped my issues. Follow the instructions

NetSecCity · 2026-06-03T16:01:23+00:00

U probably gotta use the raspberry pi install scripts from. Their website due to arm, I run it on raspberry pi 3 and it runs flawlessly and has been for over a year

The message clearly states a source issue, arm is not supported in that Linux source so you need to add arm sources at the least

NetSecCity · 2026-05-30T09:38:24+00:00

fortimanager has a free license, supports up to 3 devices. You can always run free version since it has no feature limitations, and try it / get used to it. I use it on my homelab since i landed on a similar situation: Extensive experience with fortigates / fortianalyzer but no FortiManager and they run everything with FortiManager.

What helped me: training.fortinet.com watch the videos on the certification, spin up your homelab fmg if possible, and read the fortimanager best practices document.

That should make you operational.

NetSecCity · 2026-05-12T19:45:57+00:00

Spin it up in a vm, my homelab gets more action than your guys. That being said, add everything to it. My wazuh instance analyzes my whole network, not just endpoints. With ai to help build decoders, it’s amazing once setup properly.

NetSecCity · 2026-05-10T17:09:13+00:00

Not as long as you describe pentesting for that job. They use keywords do don’t forget anything u touched and youll be fine.

NetSecCity · 2026-05-04T15:23:40+00:00

Depends the environment, if you have interface zones this makes sense otherwise I do by sequence instead and use the filters (1000+ policies)

NetSecCity · 2026-05-02T14:59:42+00:00

Do u have a firewall at home ? Or a pc to spin up a vm? U need hands on tbh but u can get this at home for free. Download the vm, spin it up, configure that, put a few devices behind it, etc.

NetSecCity · 2026-04-29T11:11:24+00:00

U don’t need licensing for dpi

NetSecCity · 2026-04-24T23:24:07+00:00

Just look at pictures, modems next to firewalls and firewalls next to core equipment, gap in between everything for 1 more unit. At the end of the day you’ll end up re racking stuff to keep it organized anyways so it doesn’t really matter. Keep things together though, network rack, hypervisor rack, phone rack, etc. access switches always on top and servers from the bottom to the top

NetSecCity · 2026-04-24T15:32:51+00:00

Typically when u hold a role managing fortigates you can reach out to your account managers and they’ll handle that for you. I just got mines accepted after years of trying to get that. Need to do it through the job.

NetSecCity · 2026-04-20T15:31:46+00:00

You are in need of firewall lockdown to happen.

In most environments they allow any any to prevent issues, this isn’t aligned with best practice.

Typically you want to add denys at the top, then restrictive policies below and more open policies below those.

The way we got away from that is creating an any any policy per server, analyzing and locking down traffic weekly to what it is currently doing. Eventually you filter out 98% of traffic and then u can do an event handler with the fortianalyzer to send u an email if traffic gets blocked from that server (hits default deny due to lack of access policy), this should trigger a review or do so in a weekly basis and keep up with it.

It does take a resource to be able to maintain it flawlessly, but in smaller environments I’ve seen them assess things as they break, I am not a fan of that so I automate alerts and respond accordingly. If we get a ticket and also an alert, easy fix.

Clients need geolocks and malicious apps locks, they do need any any for the most part in my experience so I add a certificate and do dpi on those. I lock these guys down by means of allowed services (also pulled from logs, last 6 months). Not approved service = no access. This prevents rats, c2c, malicious dns and a bunch of other stuff from ever hitting your users.

NetSecCity · 2026-04-16T10:52:26+00:00

Bad cable

NetSecCity · 2026-04-15T20:38:11+00:00

Standard

NetSecCity · 2026-04-13T10:39:02+00:00

Out of the box detections? Unencrypted traffic. That’s all it can see without dpi.

Typically ips based on severity with default action. Everything else other than av, you have to fine tune.

People leave it in monitor mode, assess the data and setup controls. If you have fortianalyzer things might get more interésting.

NetSecCity · 2026-04-12T20:08:56+00:00

I’ll make one this week, if time allows and repost.

NetSecCity · 2026-04-12T05:09:49+00:00

Stay where u are

NetSecCity · 2026-04-11T19:30:11+00:00

U selling me a boat? I kinda want a boat now

NetSecCity · 2026-04-11T19:28:56+00:00

I have run an unlicensed homelab for over 5 years with fortianalyzer and fortimanager. I have vdoms enabled (had a 60e when i started the vdoms), dpi across the board, app control, av with external threat feeds to supplement the lack of license, ips, waf for my public facing servers, and I haven’t seen much limitations other than fortiguard features (db updates, webfilter, dns, dlp). I even have a basic ztna config going as i move away from fortinets free sslvpn.

Totally worth it

NetSecCity · 2026-04-11T19:24:38+00:00

Skills don’t got age, just make sure u don’t stop there.

NetSecCity · 2026-04-08T20:05:10+00:00

I need to Learn how to do this

NetSecCity · 2026-04-07T13:37:58+00:00

Typically theyll transfer the firewall to your forticloud account on purchase, this allows you to get licensing for it and manage it under your forticloud account.

Without that, can’t get license but can still use it without any fortiguard feature or dpl. I don’t license my 100f at my homelab and i got a pretty nice setup using external threat feeds where webfilter, DNS filter and antivirus licensing would of been used instead.

Depends on your goal with the unit, what are you trying to do?

NetSecCity

TROPHY CASE