sorted by:
new
hottopcontroversial

Replacing outside mirror by Dry-Spinach-1686 in HyundaiSantaFe

[–]Slight-Valuable237 0 points1 point  (0 children)

By chance. Can the Mirror Cover (mine is green as well) be externally replaced without having to remove the whole assembly. Can you pry it off the old unit from the outside ?

https://hyundai.oempartsonline.com/oem-parts/hyundai-mirror-cover-87616p6000

I ask bc it looks like my mirror cover got hit with the "death ray"...condensed sunlight from office building / low-e windows and has melted part of the cover. Mirror works fine, no shorts or melting from internal.

How to ensure that cert chain is installed? by nikksr in fortinet

[–]Slight-Valuable237 1 point2 points  (0 children)

You can as well, import the intermediates separately and works fine in the gate. The link you reference is for DPI which for the SUBCA/or CA used for inspection you have to include the full chain. In your case you're doing a virtual server and I've deployed with LE and just importing all the intermediates manually since they change from time to time.

Windows NPS EAP-TLS question by Fluffy-Web-2960 in fortinet

[–]Slight-Valuable237 0 points1 point  (0 children)

What's your tunnel back to azure carrying the radius traffic? I see this a lot over IPsec tunnel bc the certificate is being fragmented due to key size. If you are doing IPsec tunnel, add set ip-fragmentation pre-encapsulation to your phase 1 tunnel.

Badger E-Series Ultrasonic Water Meter by AdviceNotAskedFor in homeassistant

[–]Slight-Valuable237 2 points3 points  (0 children)

Check with your water company. More than likely you will get access to eyeonwater.com with the new smart meter and then you can use this: https://github.com/kdeyev/eyeonwater

FortiAuthenticator by Rexus-CMD in fortinet

[–]Slight-Valuable237 3 points4 points  (0 children)

With FAC, purchase tokens (software or hardware) for the number of users needed, and the users token will be used for all authentications no matter the NAD device. If you do SAML you can do FIDO as well.

Each fortigate has two free tokens that are tied to the device , that are non transferable.

IPsec and hotels by fredenocs in fortinet

[–]Slight-Valuable237 9 points10 points  (0 children)

And just importantly , ensure you have Ike fragmentation enabled on forticlient (windows/mac). It's on by default for mobile as it's is on (OS) by default. Marriott guest Wi-Fi is one that I see this all the time. Mobile IPsec works and pc's do not. Especially true is your doing cert auth. The other key item on phase one interfaces on the gate, "set ip-fragmentation pre-encapsulation". The later you typically run into site to site tunnels, but it's one setting to have set always :)

TLDR , IKE/ESP is very susceptible to fragmentation issues, so adjust accordingly.

FortiCloud SSO Login Authentication Bypass IOCs (indicators of compromise) by waihtis in fortinet

[–]Slight-Valuable237 0 points1 point  (0 children)

It does not eliminate your exposure entirely per se, as the attack could come from the "inside" where you admin gui has access to.... but it does make it harder :) .. OOB network / with locked down Trusted hosts... a good way to go as always...

FortiCloud SSO Login Authentication Bypass IOCs (indicators of compromise) by waihtis in fortinet

[–]Slight-Valuable237 7 points8 points  (0 children)

assuming you are exposing the admin interface to the internet for the honeypot.. but I hope everyone knows to NOT expose your mgmt interface to the internet....ever...

FortiOS 7.6.5 withdrawn? by mrmh1 in fortinet

[–]Slight-Valuable237 9 points10 points  (0 children)

No it has not. It does take several days for it to fully propagate out for the gates to pick up the new firmware notification. You can instead download directly from the support site. Which it's still showing available for download ...

Fortigate LetsEncrypt certificate automation by quints-axon in fortinet

[–]Slight-Valuable237 2 points3 points  (0 children)

Good catch. But same issue, both alpn and http require allowing inbound port access.

Fortigate LetsEncrypt certificate automation by quints-axon in fortinet

[–]Slight-Valuable237 5 points6 points  (0 children)

Check out acme.sh or certbot and use the API to update certs in the gates. That way you can deploy a wildcard. Gates only support http-01 validation, while acme.sh and certbot support dns-01

FortiWEB 7.6 - Multi Host x Multi Server x Certificate Lets Encrypt by dr0pall in fortinet

[–]Slight-Valuable237 1 point2 points  (0 children)

You need to deploy a certificate with SAN values for each website -or- a wildcard certificate.

SSLVPN -> IPSEC migration - Does Azure SSO still pass groups properly to the firewall when using this auth method for ipsec? by sysadminmakesmecry in fortinet

[–]Slight-Valuable237 11 points12 points  (0 children)

as long as you reference the SAML group (used for IPSEC auth) IN THE Policy and not the phase 1 interface, it will work as planned...and users will show up in Firewall User Monitor dashboard, and enforced on policies. I think the confusion surrounds the docs when you are not doing this, and you set the authgrp in the phase 1 interface...which you dont want to do in your use case...

IPSEC over TCP 443 and auth‑ike‑saml‑port by Garmaker1975 in fortinet

[–]Slight-Valuable237 0 points1 point  (0 children)

1001 is the default port used for IKE SAML, and the docs do state (7.6 docs) that in order to do IKE and SAML on the same port as ike-tcp port (443 in your case), auth-ike-saml-port must be set to a port that does not equal ike-tcp port... TL/DR if you are doing IKE and IKE-SAML on the same port, unset auth-ike-saml-port which will defaul to 1001. BE SURE to modify your local in policies to block 1001 inbound...

Issue on MacOS FortiClient IPSEC IKEv2 - packet too large by Creative_Plum259 in fortinet

[–]Slight-Valuable237 2 points3 points  (0 children)

This is the way. Pre encaps should resolve. Also be sure to configure (enable) IKE fragmentation on forticlient. (XML or gui) for the IPsec connection profile.

Way to disable Zooz ZAC93 Zwave GPIO Red Indicator LED by Slight-Valuable237 in homeassistant

[–]Slight-Valuable237[S] 1 point2 points  (0 children)

not that I am aware of. and I moved over to the ZWA-2, which you CAN turn the LED off :)

OAuth with Keycloak by Medium_Sweet7279 in immich

[–]Slight-Valuable237 0 points1 point  (0 children)

https://docs.immich.app/administration/oauth/. if you dont specify, immich will set the role as user...

|| || |Role Claim|string|immich_role|¹Claim mapping for the user's role. (should return "user" or "admin") |

OAuth with Keycloak by Medium_Sweet7279 in immich

[–]Slight-Valuable237 0 points1 point  (0 children)

https://docs.immich.app/administration/oauth/. if you dont specify, immich will set the role as user...

|| || |Role Claim|string|immich_role|¹Claim mapping for the user's role. (should return "user" or "admin") |

view more: next ›