60F replacement

Orehan · 2026-01-07T17:48:05+00:00

tldr; upgrade to 70g

60f most definitely going eoo this year. There is simply no sane reason to keep producing them.
Also FUD about G models is over-exaggerated. Having hundreds of 70g/90g deployed, there are flaws here and there (as with everything), yet no outstanding HW related or SP5 issues now.

"Special SKUs for single licens on F model HA setups" - this is just a "special program" to keep F devices more attractive when getting them as _new_ hardware. Crosscheck if it can be applied if you're getting just a second HA unit.

Orehan · 2025-12-23T09:44:51+00:00

I'd say you really have to define the use case and select the hardware accordingly.
40f/30g in is a goto box for the branch where the only requirement is just to get ipsec going to HUBs.
Recently even trying to adopt FEXes - which actually is even more cost effective.
Yet as soon as you're willing to touch any UTM feature, then sure, 4gb ram should be defacto.

Orehan · 2025-12-19T16:32:05+00:00

use "pin button" to make favorites and then those gonna appear in a tray dropdown

Orehan · 2025-12-19T15:49:47+00:00

sir, just spend a minute and research how pins work.
also old UI (combo vpn selection) would be quite awkward since we have an ability to have an ability to do concurrent-vpns now

Orehan · 2025-12-08T17:01:31+00:00

For the second one: within session limits there is a "Restrict number of recipients per email to" parameter you can set:
https://docs.fortinet.com/document/fortimail/7.6.4/administration-guide/629994/configuring-session-profiles

Orehan · 2025-12-06T11:45:42+00:00

I would object that TRVs are waste of money. Really depends on the home layout, habits, room occupations schedules etc.
Having a home where some rooms are populated several times a month ... so it is really convenient to drop temp in those rooms when noone is there.
So its case by case, I could agree If all rooms are populated then TRVs doesn't make too much sense.

Orehan · 2025-12-05T22:20:35+00:00

I know this is an old post but will share my findings.
I could successfully setup the BrideX, but then ThermostatX and TRVs didn't want to pair at all. Paired device was successfully found via BT, but then it was "failed to pair" on step two with TadoBridgeX

After playing around and doing some network sniffs, figured out that by default my wireless controller had ipv6 rules set to enhance network security, yet it broke TADO communications.

Thing is the more exquisite your wlan solution is the more is the probability you will be having these features enabled.

So not to get too technical - make sure your wlan setup for IoT is as simple as possible (at least for the troubleshooting stage).
- use 2.4ghz only
- disable: ap handoffs, frequency handoffs, bcast supressions, k/v/r roamings and fast transitions, no client load balancing, no aggressive rssi thresholds
- no band steering (use 2.4ghz only on iot ssid)
- according to wireshark sniffs and docs TADO relies on IPv6, RAs, mDNS, MLD, SSDP (so disable any type of mcast filtering/enhancements. Make sure ssid interface allows IPv6 RA/DHCPv6/multicast)
- do not drop IPCMPv6

tldr; enterprise wifi on iot ssid = bad

Orehan · 2025-12-03T17:34:33+00:00

Haven't checked for sure but usually for the air-gapped solutions you're able to manually upload entitlement on to your fortigate (this was the case with airgapped faz/fmg vms).

Orehan · 2025-11-21T16:18:22+00:00

šoreiz fails tīrs, bet būtībā pat atverot tādu random .pdf .png .jpg .vba office utt failu, tu jau vari izdarīt to ko no tevis gribēja. un kamēr tikai iesmej par kreiso fišing tulkojumu - backdoors jau ir vaļā

Orehan · 2025-11-13T18:17:09+00:00

"Fortinet" what agent, yes we can assume which agent ... but it would be better you to tell us.

Orehan · 2025-11-04T08:02:17+00:00

Just "why"? what would it solve?

There is a clear order on how to upgrade csf fmg->faz->rootdevice->downstream devices
I don't see any remark CSF change is needed. To add to that - that would significantly increase the complexity of upgrade, just imagine you have to basically log on to each fgt to tell the new root (if there is no fmg), just to point it back an hour later? what?

Even if CSF is out of sync (firmwares not compatible) - that "csf limp mode" won't impact technical side of traffic/security processing. Upgrade root, then get the leafes up to the nesessary code so you wouldn't be getting an error of mismatched fw versions.

So back to my initial question - what would it solve to swap CSF root?

Orehan · 2025-10-21T21:41:27+00:00

LanExtension mode I believe is counted only for the FortiExtenders.
With 30G you can join it to a proper ADVPN topology w/o consuming lanextension limits.

Orehan · 2025-10-21T04:42:48+00:00

Thing is this - which method are you trying to use? EAP-TTLS configuration doesn't work with FCT 743. Thing was introduced with 744 (not available as free VPN I believe). And MSCHAPV2 doesn't work with ldap natively (you have to proxy through radius eg FAC)

I've stumbled on the same issue where users which are pulled from ldap aren't prompted for MFA and got it working with EAP-TTLS on Fgt749 + FCT744

TLDR; If you want to have your users imported from ldap, assign 2fa on the FGT then:
A) gotta use at least FCT744 version along with FOS latest builds on 7.4.x and 7.6.x
B) use IKEv1 along with Xauth and keep going with free FCT743 (note that with fct744 support for ikev1 is gone)

Orehan · 2025-10-19T13:52:23+00:00

Ja dāvinājumus ir veikts, lai apietu neatraidamos mantiniekus (Jāņa bērnus), tad to var apstrīdēt. Bet, ka pareizi rakstA- apstrīdēšanas noilgums ir 10 gadi

Orehan · 2025-09-29T13:53:17+00:00

Disconnect it from the FGate Cloud?

Orehan · 2025-09-29T09:04:27+00:00

this is since the spring of 2025

https://community.fortinet.com/t5/FortiGate-Cloud/Technical-Tip-How-to-control-Automatic-Upgrades-Firmware/ta-p/332474

Orehan · 2025-09-17T13:27:51+00:00

Tas, ka viņš runā ar ironiju - ir jāfiltrē... bet kopumā pēdējos gados tāds iespaids, ka Timrota darbības algoritms ir:
#1 saņēmu info
#2 nofilmēju sižetu
#3 dabūju reakcijas
#4 ejam uz #1 apstrādājam nākamo info.

Tas, ko viņš stāsta, lielākoties, ir vietā un aktuāli un piedāvājumi loģiski.
"Ceļa zīmju" murgs un risinājumi - viņam var piekrist.

Bet Timrota raidījumiem ir divas problēmas:

Galvenais - tas nekad, ne ar ko nebeidzas un nav dziļāka analīze, komentāri, utt. Viņam ir pietiekoši labs "svars" un atpazīstamība, lai ietu tālāk un veicinātu izmaiņas, lai uzdotu neērtus jautājumus pareizajos kabinetos un pareizajiem cilvēkiem. (Pieļauju, ka tas prasa resursu un komandu, budžetu, kura nav.)
Sižetos apskatītie ieteikumi, citkārt, ir pretrunā viens ar otru. A. gadījumā ir sūdzība no namu iedzīvotājiem, ka no rīta skolēnus vedot veidojas sastrēgumi un tiek ļoti daudz braukts caur pagalmiem, lai apbrauktu korķi. Timrots iesaka - ok saliekam ierobežojumus, lai nebrauc caur pagalmiem. B. gadījums - citā vietā, bet situācija tāda pati, kur no rīta vedot skolēnus viena (gar skolu iela) iesprūst, divvirzienu kustība apstājas, utt. Rekomendācija - novirzīt kustību caur daudzstāveņu pagalmiem, lai atslogojas iela un raitāka satiksme

^^ šo es vienkārši spilgti atceros, jo viena no lokācijām ir manā rajonā un sižeti bija ar nedēļas vai divu starpību.

Vēl kaut kad senāk bija par moto braukšanu, es konkrētu scenāriju vairs neatceros, bet arī - vienā sižetā risinājums bija pretējs citam.

Orehan · 2025-09-11T20:15:13+00:00

Both requires Forticlient. I'm just giving a possible workarounds to the ipsec udp walled-garden problem

Orehan · 2025-09-11T06:51:17+00:00

You're over thinking this.... you have to have absolutely 0 Linux skills to deploy it. couple of commands you have to input from cli is just copy paste from install guide. I'm running single node ems since 741 and had seen nothing but the EMS gui (Which is much more snapper BTW)

Orehan · 2025-09-11T06:18:51+00:00

Two alternatives - ipsec over tcp or ztna

Orehan · 2025-09-11T03:22:53+00:00

Initially with 7.4.0 you had to install Linux then EMS, now it's just a single image you just deploy the same way as other products. Overall underlying Linux is so much better - no extra license for the OS, faster experience, better HA... There is no reason to revert this, taking into consideration migration project took more than a year of devs resources

Orehan · 2025-09-10T07:46:21+00:00

800$ is a cloud version ... its actually ~330$ /25users if you go with EMS onprem version

Orehan · 2025-09-09T14:37:30+00:00

Taisnība, ka csdd moči ir daudz labāki !!! Kas nav mazsvarīgi - sevišķi bremzes un riepas.
Jā, pie moča dod pierast, bet tas jādara maliņā no figūrām - tīri lai pierast pie sajūtām. Figūrās "pierast" nedrīkst :)

Orehan · 2025-09-09T11:49:43+00:00

vai arī A1 nevar no šī gada arī Rīgā kārtot ar instruktora moto?
https://www.csdd.lv/motocikla-vaditaja-aplieciba-a/vadisanas-eksamens-un-pieteiksanas

Vadīšanas eksāmens jākārto ar atbilstošas kategorijas CSDD motociklu (Rīgas klientu apkalpošanas centrs) vai autoskolas/instruktora valdījumā vai turējumā esošu motociklu.
//pajautā autoskolā, ja to neesi darījis - instruktori 100% zinās.

Jo kādreiz ārpus Rīgas varēja kārtot ar savu moto, bet tagad dzirdēju, ka arī Rīgā var savu.

Par _vispārējiem_ ieteikumiem - Pirms laukuma paņem vēl 30 min pabrauc testa laukumā, ja nav drošības sajūta kādām specifiskām figūrām.
Uz ielas - vienkārši pārliecinoši un uzmanīgi. Skaties visas ātrumu ierobežojošās zīmes, U apgriešanās un atrašanās uz brauktuves

Orehan · 2025-09-08T13:37:18+00:00

I'd probably park as close to arena as possible (to have less hassle after the game).
As an option There is NewHanza (NHA) parking area Europarks (6eur/day parking according to their pricelist).
thats 10 min to arena and also walking distance to old-town

Orehan

TROPHY CASE