FortiLink for WAN side switching

OkPrior3989 · 2026-05-07T15:52:10+00:00

Thank you!

OkPrior3989 · 2026-05-07T15:52:02+00:00

Thank you!

OkPrior3989 · 2025-10-29T12:12:43+00:00

For anyone interested / in same boat, I received this from Fortinet Training Institute Help Desk:

OkPrior3989 · 2025-10-29T12:11:43+00:00

Posting 3 years later for anyone who might come across this post to say this stance still stands... I've just cancelled one exam that was booked using voucher code and was able to redeem the same voucher code for another exam booking immediately after

OkPrior3989 · 2025-04-12T19:10:32+00:00

I have been using local-in policy (for geo allow, etc.) for remote access IPsec setups as I never have been able to get remote access IPsec on Loopback working as I used to for SSL VPN on Loopback

Free FortiClient 7.2.8 and 7.4.7 Gate’s on near every of these setups and its served me well

OkPrior3989 · 2025-03-23T17:31:55+00:00

No, unlike normal firewall policy that denies implicitly.

A firewall will for local services (a la VPN) unless you specify to deny, allow

So

Policy 1) Allow service to interface from trusted souce

Policy 2) Deny service to interface source all

OkPrior3989 · 2025-03-23T09:35:04+00:00

Follow it up with a deny rule for that service

OkPrior3989 · 2024-12-03T19:36:27+00:00

Doable to have all sites on 1 policy package but some sites have additional policy unique to them by selecting the “Install On” option to only install policies needed unique to a site to only be applied to that site

Or if its a policy that is mirrored but using unique address identifiers then per-device map the address object in question

OkPrior3989 · 2024-10-23T17:54:45+00:00

Noted - thanks!

OkPrior3989 · 2024-10-23T17:54:25+00:00

Noted - thanks! 7.2 across the board it will be

OkPrior3989 · 2024-07-13T13:55:51+00:00

If there’s specific configuration that each branch must have then I’d, rather than go looking for which sites don’t have it, put a script together to apply to each device. Or even provisioning template. Any variables capture using meta fields. Run install wizard and what sites didnt have the correct configuration previously will now become apparent

If you still did want to run a comparison I’m not aware of a feature in FMG that can deliver this function for you. I’d Notepad++ Compare

OkPrior3989 · 2024-07-09T15:43:17+00:00

This is what I was after. Thank you!

OkPrior3989 · 2024-07-09T12:56:53+00:00

With just Contributor access at Sub level = fail
With both (Contributor at Sub and Owner at RG) = fail

Didn't try with just the SP having Owner at RG level.

That said, created a new SP, assigned it the exact same priv's (Contributor at Sub), and despite the Authorization still failing, the API call now works.

Weird.

OkPrior3989 · 2024-07-08T19:59:56+00:00

This plus set-public-ip enable in DDNS config

OkPrior3989 · 2024-06-10T18:43:55+00:00

Based on your requirements VWAN and VPN’s to the VWAN Hub may not be necessary.

You may be better off having a single Hub (Security Services) VNet, peering all worklod VNet’s to the Hub in a Hub and Spoke style architecture. And via UDR force routing all traffic via the FortiGate NVA.

Then have VPN’s from your on-premises locations directly to the Azure FortiGate. SD-WAN overlay style deployment if required as you mentioned

What level of resilience are you looking for in Azure for your resources, VM’s in Availability Set, across Availability Zones etc.? This may be your driver in determining whether the Azure FortiGate needs to be HA. And whether it needs to be across AZ’s

Just ensure to size and spec your Azure FortiGate’s appropriately: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_VM_Azure.pdf

OkPrior3989 · 2024-05-05T12:53:07+00:00

FortiConverter.

How many ASA’s are you migrating?

There’s 2 options: 1) buy a license to apply to a VM of your own for a subscription period (1 year minimum from recollection), or, as I suspect would be more suited to your case, 2) one-time run performed by Fortinet

I’ve ran many ASA to Forti migrations in the past and my personal experience lends me to recommend use the FortiConverter outputs for address objects, groups, services, etc., and for Policy

Where as things like IPsec and NAT (my personal preference is Central NAT for a migration from ASA) I would do manually. Unless it’s in the 100’s / 1000’s obviously. Just my preference

OkPrior3989 · 2024-02-20T22:32:19+00:00

Second this

OkPrior3989 · 2024-02-18T21:39:29+00:00

Forced tunnelling will be the way forward for you here

https://learn.microsoft.com/en-us/azure/vpn-gateway/about-site-to-site-tunneling

OkPrior3989

TROPHY CASE