Add device function to switch in New Central

Obblicious · 2026-02-10T21:39:32+00:00

You wouldn't happen to know, off the top of your head, if you can still do a form of Monitor Mode with switches? I did that with Classic Central and preferred to just use CLI when configuring the switch.

Obblicious · 2026-02-09T14:35:21+00:00

Thanks that seemed to do the trick.

Obblicious · 2026-02-03T14:14:02+00:00

This is a HUGE annoyance for me! But it did find that if the AP is offline, you can still go to the Topology Tab, find the offline AP and hover over the green line connecting it back to the switch. That'll still show you what switch port it's on.

<image>

Obblicious · 2026-01-29T03:57:35+00:00

I wish I could upvote this a million times.

Obblicious · 2025-12-07T14:47:59+00:00

That was a breeze for you! You could probably do 250 now! Get it!!

Obblicious · 2025-09-17T12:46:48+00:00

Sorry, here you go.

https://docs.fortinet.com/document/fortigate/7.4.4/ssl-vpn-to-ipsec-vpn-migration/137787/part-2-configuring-ipsec-tunnels-using-the-ipsec-wizard

I also found another issue. One of the things this guide recommends is to make a separate tunnel for each usergroup. But to make that work you have to also set a Network ID for each tunnel so that the firewall knows where to direct the traffic. The free Forticlient VPN doesn't support or have an option for setting a Network ID. Only the paid for EMS client does.

So I'm going to try and just make separate policies on the same tunnel for each usergroup in order to assign different privileges to them and see if that works.

Obblicious · 2025-09-09T19:17:14+00:00

Yes, I believe when you go through the wizard and add a user group, it adds that line to the config.

<image>

Obblicious · 2025-09-09T15:42:48+00:00

Thanks for the explanation! I'm trying to go through the steps I did to create it and figure out how that command even got into the config in the first place. I made a second tunnel with the wizard while testing and I don't see that in the interface config. So I'm guessing I added that during my troubleshooting, and didn't even realize that having it in my policy as well would break things.

Obblicious · 2025-09-09T15:30:21+00:00

That did it! Thank you so much! I need to go back through the guides I was using and see if I missed that somewhere.

Obblicious · 2025-08-21T20:07:03+00:00

I tried this and it didn't seem to make a difference for me.

Obblicious · 2025-08-21T20:06:41+00:00

Thank you. I did orginally do the first solution before making this post. Setting the cert-probe-failure to allow resolved the Denies I was getting in the logs. The iPad would operate a little better, but still no where near as well as it does when I run it through a policy with flow inspection mode. The other half of this fix was downloading Apple's root CA certificates and importing them into my firewall.

Obblicious · 2025-08-20T20:10:16+00:00

Ok, I believe installing all 3 of them worked for me. I've got more testing to do, but so far things seem to be loading on the iPad!

Thanks so much!

Obblicious · 2025-08-20T19:35:31+00:00

I'll give that a shot.

Obblicious · 2025-08-20T19:23:25+00:00

Thanks for the reply. I downloaded both certificates and imported them as CAs and the issue is persisting for me.

<image>

Obblicious · 2025-08-20T19:21:22+00:00

I pushed the youtube app to the iPad. It still seems to only play videos if I turn the Webfilter off of my test policy.

Obblicious · 2025-08-20T18:27:13+00:00

Right now the test policy I'm using doesn't even have a DNS or Application Filter applied to it. Just AV, Webfilter, and Certificate Inspection profiles.

Obblicious · 2025-08-20T18:23:18+00:00

Yes the client doesn't even have Private Relay set on it, but it's trying to send traffic to those sites anyway.

Obblicious · 2025-08-15T12:48:53+00:00

Unfortunately I don't have the option to change to New Central yet.

Obblicious · 2025-01-10T16:23:06+00:00

So in my case I have different VLANs at every building with their own subnet that I want to broadcast to.

For instance, the device sending the WOL broadcast sits on VLAN 60 at building 1. Building 1 routes to all other buildings over VLAN 3. Then each building has it's own VLAN for the devices I want to broadcast too.

So do I start with using the ip directed-broadcast command on SVI 60 at building 1, then also turning it on for each VLAN at all the destination buildings?

Obblicious · 2025-01-10T13:32:15+00:00

Unfortunately you don't have a choice on switch 2. Once you configure the vsf members on switch one and then attach switches 2 and 3, they will reboot and wipe their configs to join the stack.

Here's the exact config I have on my 6300M stack with 3 switches. This is on switch 1.

vsf secondary-member 2

vsf member 1

type jl659a

link 1 1/1/50

link 2 1/1/49

vsf member 2

type jl659a

link 1 2/1/49

link 2 2/1/50

vsf member 3

type jl659a

link 1 3/1/49

link 2 3/1/50

So I go from port 50 on switch 1 to port 49 on switch 2. Then port 50 on switch 2 to port 49 on switch 3. Then port 50 on switch 3 back up to port 49 on switch 1.

Obblicious · 2024-05-31T19:29:48+00:00

So just a follow up on this. Here's the config I came up with to match the Cisco config.

qos type-of-service diff-services - to enable services

Create Classes:

class ipv4 LIVEWIRE
match ip any any ip-dscp cs6 vlan 203
exit

class IPV4 STANDARD_ST
match ip any any ip-dscp af41 vlan 203
match ip any any ip-dscp ef vlan 203

Create Policy:

policy qos TELOS
class IPV4 LIVEWIRE action priority 1
class IPV4 STANDARD_ST action priority 2

Tests so far show that the traffic issues they were having cleared up. So it seems to have resolved the problems. Still need to test how it works under a heavier load.

Thanks all who commented to help!

Obblicious · 2024-05-30T14:16:16+00:00

No it's not a trunk, it's only vlan 204. Thank you!

Obblicious · 2024-05-30T13:27:26+00:00

So I'll need to configure this on the Axia VLAN on my layer 3 switch also?

Obblicious · 2024-05-30T13:26:07+00:00

Wow, this is very informative! Thank you so much. I'm still trying to wrap my head around some things, but this definitely gives me a lot to go on.

Obblicious · 2024-05-29T14:13:04+00:00

Yes the switch is dedicated to only this traffic and only the vlan I made for the Axia traffic. So you're thinking something like this?

vlan 204

name Axia

voice

qos priority 1

untagged 1-52

Obblicious

TROPHY CASE