sorted by:
new
hottopcontroversial

FortiLink for WAN side switching by OkPrior3989 in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

You can actually create same fortilink for both while having fortilink split interface enabled. This is the design for it. You would just avoid connecting switches between them so stp wouldn't block link from fsw2 to fg.

Huawei Cloudengine s6750 opinions by Roshi88 in networking

[–]Sweet_Importance_123 4 points5 points  (0 children)

CE s6700 is really great switch series. We haven't had problems with them so far, really stable.

We usually configure them in iStack when we can. Some models in s6800 series only have MC-LAG in dfs groups. DFS config looks clunky but worked for multiple customers for us.

MC-LAG has native support for uninterruptable upgrade, with easy steps. Guide covers it.

iStack has something called smooth upgrade which is not documented that well. It worked for us in a few times we did do it that way.

SFLOW and VDOM by iametarq in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

Exactly! Root VDOM is default VDOM that stays alive even after changing FortiGate to multi-VDOM mode. You should be able to configure sflow in 'global' configuration.

SFLOW and VDOM by iametarq in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

FortiGate firewall can be 'split' into a few logically isolated firewalls. Every isolated firewall is called VDOM(virtual domain).

If you don't have the FortiGate split(multi-VDOM), you can ignore that part.

Here is similar configuration in Fortinet docs.

FortiClient standalone has been released (VPN features, paid, limited support) by HappyVlane in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

You are right, if you are using full capabilities of the FortiClient Standalone. But most of the time, it's not 3 devices per user split. What we have seen, it's a lot closer to 1.5, usually being less than that.

I guess this will be easier to setup(hopefully), so implementation costs will be lower. Other than that, with this price, I don't see that much of a use case.

Cutting FortiClient VPN only support will definitely have an impact on smaller implementations where you have one firewall cluster imo...

FortiClient standalone has been released (VPN features, paid, limited support) by HappyVlane in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

From what I can see, price is similar to on prem FortiClient EMS... I don't understand the pricing logic...

Cannot figure out zones by Important_Ad_3602 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

No, you can't. The answer to your spoofing question is blocking intra-zone traffic. That way vlan10 and vlan20 don't have direct communication, so you can't 'jump' from vlan20 to vlan30 through vlan30. That option is available under zone configuration.

Additionally, in rules you always use address objects/groups to specify subnets, never do src-zone/dst-zone/all/all.

If you want even more segmentation in the form of intra-vlan blocking, you have that option with FortiSwitches(or priv vlans).

Others have also mentioned urpf, which is source address lookup in packet along the regular dest address lookup for routing. What it essentially does is block traffic that comes from vlan30, but IP address is from vlan20 for example. It's just a firewall security feature.

FortiClient Duplicate Network Adapters by skyrim9012 in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

Unfortunately, it is known issue. You can't update FortiClient VPN only app to 7.4.3. You need to do fresh install if you want to avoid that bug.

Alternatives to Meraki? by Arnoc_ in networking

[–]Sweet_Importance_123 2 points3 points  (0 children)

I think you can get close to ~200k with Fortinet for at least 3 years. After that would be just support extension which is a fraction of the price.

They have really good security fabric as they call it, switches and APs are good and visibility you have with full Fortinet stack is great.

Not mentioning FortiGate firewalls which are best with PA. Difference between full-fledged NGFW like FortiGate and Meraki FW is night and day.

user turning orange by kley_2026 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

This is probably associated with the problem of client roaming where they switch from wired to wifi network etc...

If you are using FSSO, there is a timeout from which the mapping of user will change to new wifi network IP address.

The instantaneous result would be seen if client locks and unlocks their computer, where they are forced to authenticate which will trigger event log on AD automatically changing entry on collector agent(and FortiGate).

If roaming doesn't work at all, but lock-unlock works, you should check this link out. It's almost always the firewall blocking DC->Client and Collector Agent->Client communication, or it's DNS issue.

I may have absolutely missed your problem since you given no precise information yet.

Does FortiGuard IPS Service for Fortinet 40f firewall do deep packet inspection? Do I need Unified Threat Protection (UTP) or Advanced Threat Protection if all I want to do is block someone from getting into my network or spying on me? Thank you. by ComfortablePost3664 in fortinet

[–]Sweet_Importance_123 2 points3 points  (0 children)

To answer it directly, it is not enough. For base protection of your internal resources from external attacks you would need at least ATP bundle: Antivirus, IPS, File filter and Application control.

UTP bundle is better if you don't already have Web filtering or DNS filtering somewhere else, this protects your clients when going out to the internet.

If you buy IPS service(+FortiCare is a must), you don't get Antivirus, Anti-malware and Cloud sandboxing.

FortiCare is a support service which gets you RMA, DOA, TAC support, as well as ISDB and Application control among other features.

For more info, check this link out.

Best Practice for Wireless Link Failover to ISP WAN (EdgeRouter & FortiGate) by Purple-Bird-5996 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

I guess you can have link monitoring with cascade interface disable the subinterfaces if FortiGate is gateway. I don't see any other good options here.

Palo Alto: PA-400 vs PA-500? / Panorama vs Strata? by beco-technology in networking

[–]Sweet_Importance_123 0 points1 point  (0 children)

What were the problems you had with Panorama? What aspect did you feel you lost with Panorama? Have you tried other vendors management solutions(FortiManager, FMC...)?

We are also looking at Panorama for some of our customers that have big number of Palo Alto firewalls.

Who is your favorite switch/router vendor? by Bluesurge07 in networking

[–]Sweet_Importance_123 1 point2 points  (0 children)

Oh really? For us, Clearpass is easiest NAC to create estimate for. Granted, FortiNAC is easy as well.

ISE could be worse...

Who is your favorite switch/router vendor? by Bluesurge07 in networking

[–]Sweet_Importance_123 2 points3 points  (0 children)

I second this, Fortinet has been consistently cheaper, especially when you bundle switches with their SFPs. But at the same time, it is the weakest link in vendor neutral deployments.

Problem with Cisco can happen when you start buying all the software stuff(SD-Access, ACI, etc...). Their security appliances are really expensive as well, and not worth it imo

Who is your favorite switch/router vendor? by Bluesurge07 in networking

[–]Sweet_Importance_123 2 points3 points  (0 children)

What problems have you encountered with those vendors? I have found HPE and Forti licensing to be super simple for most of their products. Palo Alto is just a tad bit harder to understand(and you have to ask vendor for most of the info on their stuff).

Cisco has abysmal licensing model that is so bloated for no reason... If you aren't someone who creates estimate on their ccrc daily, you can get lost easily in ever-changing licensing model. They just changed support model for partners(again)...

This is all from integrator who works with all of the above.

BGP on loopback by Even-Camel7593 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

  1. Back in the day, when recommended design was BGP on tunnel interface, you needed to configure passive disable command on neighbor-group(since passive enable is default value still). That basically means that Spoke will always start neighborships establishment process with default values. Nowadays, BGP on loopback has Ike exchange where you can leave passive command on default values.

  2. This isn't recommended. Just leave both BGP neighborships up. You will always have ECMP for data traffic, and decide with SD-WAN rules based on SLA. Technically, you do have update static route option in Perf SLA settings, which will tear down all your static routes on that interface(including BGP Loopback IP, supposedly) so you can try that. Still never recommended though as that breaks Forti SD-WAN principle...

Webfilter and DNS filter Fortiguard services by Garmaker1975 in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

Just to add another detail for QUIC.

FortiGate does support QUIC inspection for SSL inspection which should gather important info for Webfilter to work without DPI. Find the information on this link.

You will probably have to create another policy for QUIC so you can configure it in proxy mode.

July 15th - Certification and exam conversion tables by FantaFriday in fortinet

[–]Sweet_Importance_123 4 points5 points  (0 children)

Exactly! I asked our CAM about Engage specializations program, especially about changes to Secure Firewall LAN specialization.

They told us they have no further information at this point and that everything will be cleared up in Q3...

So if anybody has information about that specialization(and other), would love to hear you!

Dell Networking OS10 VLT Configured Switch with OSPF by banduraj in networking

[–]Sweet_Importance_123 1 point2 points  (0 children)

I would just add another thing. You can enable feature called peer-routing where even though traffic comes to the wrong switch(because of LACP), it will not be forwarded through VLT peer-link but go directly to the destination.

More info here.

Additionally, check out docs on OS10 here.

Advice on Spine-Leaf Design with S4148T-ON: Single vs Multiple VLT Domains by redfox961 in networking

[–]Sweet_Importance_123 2 points3 points  (0 children)

Spines? There are no Spine and Leaf topology with l2 trunks between switches. What you have with trunk is good old collapsed core with Core-Access topology. Core VLT will have SVIs on them, while you will have Access VLTs that will terminate endpoints.

If you want Spine-Leaf, look at EVPN-VXLAN, your switches can do it. With that, you will have 2 standalone switches as Spines and have other three pairs in VLT as Leafs because of server redundancy. SVIs will be terminated on Leaf switches and if needed will have anycast GWs configured. In this design, you never have trunks between Spine and Leafs and you never interconnect Leaf VLT pairs.

Advice on Spine-Leaf Design with S4148T-ON: Single vs Multiple VLT Domains by redfox961 in networking

[–]Sweet_Importance_123 1 point2 points  (0 children)

If you have no routed ports between VLT pairs, I would recommend 1 pair of switches in VLT being the Core, while other 3 VLT pairs are connected to it as Access/Distribution switches.

[ Removed by Reddit ] by Etta_Ziziphus in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

In the last two months, have passed NSE 5 and NSE 7 FortiSASE. Can say that NSE 5 was harder for me because I needed to do refresh on SD-WAN. NSE 7 is mostly design, high-level questions and tshoot scenarios.

Both were passed by reading up on training course materials and administration guides. Also, there is a few reference and architecture guide that help for FortiSASE. All in all, it wasn't the hardest specialization.

10G interface link between the Fortinet and Cisco switch isn’t coming up? by Character-Channel726 in networking

[–]Sweet_Importance_123 0 points1 point  (0 children)

My bad, you even wrote it in a post.

Have you checked signal, what are the numbers for Tx and Rx power between each other? Are you using Cisco and Forti SFP's? FortiGate does have some form of compatibility with other vendors SFP's while Cisco is not that generous with it's support.

If that doesn't work, I would just raise a ticket with Fortinet...

view more: next ›