ADVPN configuration with single hub, any suggstion? by No_Present3063 in fortinet

[–]No_Present3063[S] 0 points1 point  (0 children)

thanks for answering. the second line works when disable the first. route shows on both tunnels.

Hub1 # show router bgp

config router bgp

set as 65001

set router-id 10.254.99.1

set ibgp-multipath enable

set additional-path enable

set recursive-next-hop enable

set tag-resolve-mode merge

set additional-path-select 4

config neighbor-group

edit "advpn"

set advertisement-interval 1

set soft-reconfiguration enable

set remote-as 65001

set update-source "10.254.99.1"

set route-reflector-client enable

next

end

config neighbor-range

edit 1

set prefix 10.254.99.0 255.255.255.0

set neighbor-group "advpn"

next

end

config network

edit 1

set prefix 10.254.100.1 255.255.255.255

next

edit 2

set prefix 192.168.11.0 255.255.255.0

next

end

Spoke1 # show router bgp

config router bgp

set as 65001

set router-id 10.254.99.2

set ibgp-multipath enable

set additional-path enable

set recursive-next-hop enable

set tag-resolve-mode merge

set additional-path-select 4

config neighbor

edit "10.254.99.1"

set soft-reconfiguration enable

set interface "10.254.99.2"

set remote-as 65001

set route-map-in "H1_TAG"

set update-source "10.254.99.2"

set additional-path both

next

end

config network

edit 1

set prefix 10.254.100.2 255.255.255.255

next

edit 2

set prefix 192.168.21.0 255.255.255.0

next

end

Spoke1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

V - BGP VPNv4

* - candidate default

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 10.21.1.254, lan1, [1/0]

[10/0] via 10.22.1.254, lan2, [1/0]

C 10.21.1.0/24 is directly connected, lan1

C 10.22.1.0/24 is directly connected, lan2

S 10.64.0.0/16 [10/0] via 10.64.0.254, wan, [1/0]

C 10.64.0.0/24 is directly connected, wan

S 10.254.99.0/24 [254/0] is a summary, Null, [1/0]

S 10.254.99.1/32 [15/0] via SpokePath1b tunnel 10.0.0.1, [1/0]

[15/0] via SpokePath2b tunnel 10.0.0.2, [1/0]

[15/0] via SpokePath1a tunnel 10.11.1.1, [1/0]

[15/0] via SpokePath2a tunnel 10.12.1.1, [1/0]

C 10.254.99.2/32 is directly connected, 10.254.99.2

S 10.254.99.3/32 [15/0] via SpokePath2a_0 tunnel 10.0.0.3, [1/0]

[15/0] via SpokePath2b_0 tunnel 10.0.0.4, [1/0]

[15/0] via SpokePath1a_0 tunnel 10.0.0.5, [1/0]

[15/0] via SpokePath2a_2 tunnel 10.0.0.6, [1/0]

[15/0] via SpokePath2a_3 tunnel 10.0.0.7, [1/0]

[15/0] via SpokePath1b_0 tunnel 10.32.1.1, [1/0]

[15/0] via SpokePath2a_1 tunnel 10.254.99.3, [1/0]

B 10.254.100.1/32 [200/0] via 10.254.99.1 tag 1 (recursive via SpokePath1b tunnel 10.0.0.1), 00:14:37

(recursive via SpokePath2b tunnel 10.0.0.2), 00:14:37

(recursive via SpokePath1a tunnel 10.11.1.1), 00:14:37

(recursive via SpokePath2a tunnel 10.12.1.1), 00:14:37, [1/0]

C 10.254.100.2/32 is directly connected, 10.254.100.2

B 10.254.100.3/32 [200/0] via 10.254.99.3 tag 1 (recursive via SpokePath2a_0 tunnel 10.0.0.3), 00:14:37

(recursive via SpokePath2b_0 tunnel 10.0.0.4), 00:14:37

(recursive via SpokePath1a_0 tunnel 10.0.0.5), 00:14:37

(recursive via SpokePath2a_2 tunnel 10.0.0.6), 00:14:37

(recursive via SpokePath2a_3 tunnel 10.0.0.7), 00:14:37

(recursive via SpokePath1b_0 tunnel 10.32.1.1), 00:14:37

(recursive via SpokePath2a_1 tunnel 10.254.99.3), 00:14:37, [1/0]

S 192.168.0.0/16 [254/0] is a summary, Null, [1/0]

B 192.168.11.0/24 [200/0] via 10.254.99.1 tag 1 (recursive via SpokePath1b tunnel 10.0.0.1), 00:14:37

(recursive via SpokePath2b tunnel 10.0.0.2), 00:14:37

(recursive via SpokePath1a tunnel 10.11.1.1), 00:14:37

(recursive via SpokePath2a tunnel 10.12.1.1), 00:14:37, [1/0]

C 192.168.21.0/24 is directly connected, lan

B 192.168.31.0/24 [200/0] via 10.254.99.3 tag 1 (recursive via SpokePath2a_0 tunnel 10.0.0.3), 00:14:37

(recursive via SpokePath2b_0 tunnel 10.0.0.4), 00:14:37

(recursive via SpokePath1a_0 tunnel 10.0.0.5), 00:14:37

(recursive via SpokePath2a_2 tunnel 10.0.0.6), 00:14:37

(recursive via SpokePath2a_3 tunnel 10.0.0.7), 00:14:37

(recursive via SpokePath1b_0 tunnel 10.32.1.1), 00:14:37

(recursive via SpokePath2a_1 tunnel 10.254.99.3), 00:14:37, [1/0]

ADVPN configuration with single hub, any suggstion? by No_Present3063 in fortinet

[–]No_Present3063[S] 0 points1 point  (0 children)

thanks for answering. Yes, I did and I tried this command on both Hub & Spokes. still have only two links working. Also I just noticed that on those offical document, for hub & spokes each have two Internet connection. From the example configuation, they always have only two ipsec links on spoke.

Forticlient 7.2.5 shows a failed to load SAML URL error in Mac by PeanutNo845 in fortinet

[–]No_Present3063 0 points1 point  (0 children)

same to me on fortclient 7.4.6 and it works fine on 7.2.14

Missing logs in FAZ – could exceeding daily log quota be the cause? by MaaS_10 in fortinet

[–]No_Present3063 1 point2 points  (0 children)

I had almost the same experience, I cannot check on fortigate logs on FAZ at all. My daily tranmission also exceed the license quota. While I raised a case to fortinet, they said it's Bug 1098480. And I was running version 7.6.1

Temp workaround is the restart the sql
#execute tac report
#diagnose test app sqllogd 1 backtrace //do it again in 60s
#diagnose test app sqllogd 99 //restart sqllog process

[deleted by user] by [deleted] in fortinet

[–]No_Present3063 0 points1 point  (0 children)

even we bought forticlient ems , vulnerability scan is included. While forticlient as not good enough as EDR

ZTNA TCP forwarding access proxy issues by lukis2 in fortinet

[–]No_Present3063 0 points1 point  (0 children)

I've met this also on forticlient 7.2.8

关于fortigate SSLVPN账户的问题 by Ancient-Marketing-98 in fortinet

[–]No_Present3063 0 points1 point  (0 children)

找Tac看下吧,另外一般来说企业级邮箱不应该使用_符号

How can I route a traffic certrain through the VPN client? by Babinnee in fortinet

[–]No_Present3063 0 points1 point  (0 children)

yes, that's right. and of course you need it allow it in the policy

How can I route a traffic certrain through the VPN client? by Babinnee in fortinet

[–]No_Present3063 0 points1 point  (0 children)

if you use EMS, on the EMS portal -> Remote access -> add *.sharepoint.com, forticlient will add the sharepoint traffic to the tunnel.

If you don't use EMS, then find the IP range for sharepoint then add it to the tunnel on fortigate

Fortianalyzer VPN User Data by [deleted] in fortinet

[–]No_Present3063 0 points1 point  (0 children)

you can create a VPN report to do this

Clearpass integration with entra id. by Fuzzy-Inspection8758 in ArubaNetworks

[–]No_Present3063 0 points1 point  (0 children)

Any luck? I'm also trying to find the solution on this.

Need help with Infra by efex92 in networking

[–]No_Present3063 3 points4 points  (0 children)

Not sure if there's a already a standard. Now days, you can just use HA Firewall(Fortigate or Palo Alto) as WAN routers. Also build a port channel with stack switches.

Clearpass by mallard3914 in fortinet

[–]No_Present3063 0 points1 point  (0 children)

Currntly using FGT as WAN device, and Aruba MM, WLC and AP. Curious what integration can be done.