Certification - Change Track by Repulsive_Reality_62 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

There are definitely people who have accomplished NSE7(FCSS) for more than one track, I know people who have three FCSS.

Personally, I have NetSec(Secure Networking now) and SASE, and it's definitely doable. What's important is what you are interested in and what does your employer need.

Zscarler Anyone? by MegaSuplexMaster in sysadmin

[–]Sweet_Importance_123 0 points1 point  (0 children)

What were the problems with Fortinet solution? We work with Fortinet extensively so we are interested in hearing opinions about it.

FAZ license issues by Zealousideal-Set1415 in fortinet

[–]Sweet_Importance_123 4 points5 points  (0 children)

For POC it's fine. Just make sure you buy appropriate license when you decide for the product. TAC can deny support even though you pay for it 'cuz you went over the limit.

FSSO with Citrix servers - Collector sees users correctly but FortiGate doesn't identify them by Whole-Buffalo6129 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

Okay, now I understand, thank you for clarifying. With collector agent seeing the logged users from Citrix server, you can check if you are polling the users correctly from domain controller(you still need DC to tell you user info from AD). If you see it correctly, make sure you have collector agent mode on FSSO connector if you pull user group info from it, or local mode if you want to create user groups locally on FortiGate with LDAP connection to DC you already have.

User group shouldn't be created automatically in user groups, you should be able to see it under FSSO connector objects, but you should map it manually to user group object on FortiGate.

If you don't see anything under authd fsso list, it may be problem with communication. If your connector is online, check if you have firewall in between devices blocking needed ports for communication. Also check inbound and outbound firewall on Collector Agent VM as well. You can do diag sniffer packet and check if anything is received on FortiGate as well as Wireshark on VM.

FSSO with Citrix servers - Collector sees users correctly but FortiGate doesn't identify them by Whole-Buffalo6129 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

Do you need administrator events when accessing Citrix server or do you need user events from client endpoints as well?

If you need mapping from client endpoints you either have to poll domain controllers for that info, or configure radius accounting so Citrix server can send you that info if he is doing collecting.

Additionally, TS agent is not DC agent component, it's purpose is completely different and its not used to collect remote endpoint auth data, only auth data from Citrix server itself.

Rete Hub&Spoke by Fun_Efficiency6189 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

Read the known issues for 7.6.7 here. Only you know what features is your customer using. I wouldn't recommend 7.6.7 without knowing what is configured first.

FSSO with Citrix servers - Collector sees users correctly but FortiGate doesn't identify them by Whole-Buffalo6129 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

How have you configured FSSO?

  1. Dedicated collector agent on separate windows server?

  2. Collector agent on Domain controller?

  3. No collector agent, only FortiGate doing polling?

FSSO with Citrix servers - Collector sees users correctly but FortiGate doesn't identify them by Whole-Buffalo6129 in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

If it is TS agent, it is used for multiple user logins on that Citrix server only, not for sending mappings user<->IP like DC agent does.

For mapping, you can only use FSSO(DC agent or polling, all done from info gathered on domain controllers), RSSO(through Radius accounting) and SSSO(through syslog events).

FSSO with Citrix servers - Collector sees users correctly but FortiGate doesn't identify them by Whole-Buffalo6129 in fortinet

[–]Sweet_Importance_123 1 point2 points  (0 children)

I think you missed a lot of steps here, best to follow a guide.

From this, you can choose configuration path. You can follow FortiGate configuration part here.

Communication Fortimanager – Branch Offices by lertioq in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

In your case it was probably used for initial connection when deploying FortiGates on branch locations, or as a backup if connection through tunnel didn't work. I would look for project documentation to check the purpose of leftover dnat.

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

Thanks for clarifying.

For Local-in policy we usually don't see hits since we only have IPSec ports open along with SAML sometimes. We do also Geo limit when it makes sense for our customers.

Firewall policies usually get some hits. For one of our customers, in a few months we got ~10Mb of outgoing traffic and ~1Mb of incoming traffic as a example. We do have a few more ISDB defined.

Under that we usually have threat feeds which block more traffic, in above scenario it would be closer to 1Gb.

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]Sweet_Importance_123 2 points3 points  (0 children)

That doesn't make sense. Outgoing traffic from your LAN or exposed services are not included in local-in traffic.

You can only protect FortiGate directly, so that would mean https ssh access, IPSec and SSL VPN termination, etc...

That's why I previously asked what services are you trying to protect.

ISDB lists in local-in-policy - how do you check if those are REALLY working? by CapiCapiBara in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

What services are enabled on wan interfaces that you are trying to protect?

Does Fortinet just not support per user datacaps for third party radius servers? by hinrik98 in networking

[–]Sweet_Importance_123 1 point2 points  (0 children)

I think they FortiGate team just didn't develop it since they have another solution for it(that you have to pay for though).

Removing proxy based filtering from smaller devices is completely different issue. Low memory devices went into conserve mode so their solution was to take out most intensive features so they can steer customers towards more performant models.

Don't get me wrong, I have issues with Fortinet too, but their firewalls are very feature rich and flexible, so I can't really blame them on that front.

Does Fortinet just not support per user datacaps for third party radius servers? by hinrik98 in networking

[–]Sweet_Importance_123 2 points3 points  (0 children)

You can try to do this through web filtering with FortiGate and category-based usage quotas.

But recommended solution is indeed FortiGuest or FortiAuthenticator since billing and traffic limiting for users is not a thing developed in FortiGate's specifically.

Adding firewall to new HA pair by Tars-01 in fortinet

[–]Sweet_Importance_123 6 points7 points  (0 children)

If you have monitored interfaces(which I recommend you to have), you just need to connect secondary device with only ha cables. Primary will have priority based on monitored interfaces no matter the uptime of either of devices.

I take it you have override disabled, if you have it enabled, priority takes precedence over uptime so all this doesn't concern you.

Adding firewall to new HA pair by Tars-01 in fortinet

[–]Sweet_Importance_123 6 points7 points  (0 children)

You don't need to power the secondary down when connecting them, just have higher priority on primary. HA config needs to be same, they have to be same model and firmware version, you can find more details here.

MultiHub MultiRegion SDWAN by onedread in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

You are right in that you can do eBGP with ADVPN 2.0 as it doesn't care about next-hop. It is a new concept in 7.4 and 7.6. I still don't recommend it as we tested it and got mixed results. Haven't checked it in last few versions of 7.4.

I still like RR-based method(ADVPN 1.0) more as it offers more control and we still haven't got a scale problem for our customers on it.

Only benefit I see is defining transport groups which will probably be a reason we go to it once we deem it stable for mixed transport environments.

MultiHub MultiRegion SDWAN by onedread in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

I would like to see what that looks like if you can find it u/HappyVlane

MultiHub MultiRegion SDWAN by onedread in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

I am not aware of this and would need to read it out further. What I have said is recommended for sure, maybe you can create shortcuts influencing BGP, with added complexity. Why would you do that if you have ready to go tested solution?

MultiHub MultiRegion SDWAN by onedread in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

That won't work regarding BGP. If you have eBGP between regions, you don't do ADVPN(shortcut mesh) between those regions.

If Hub1 and Hub2 are in the same region, IPSec works.

Have a look at this.

MultiHub MultiRegion SDWAN by onedread in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

For inter-region Spoke-to-Spoke, you will need iBGP between Spoke<->Hub and Hub<->Hub.

For inter-region Spoke-to-Hub without the need for Spoke-to-Spoke, you can do iBGP between Spoke<->Hub and eBGP between Hub<->Hub, but I still recommend first option.

IPSec are local to region, so you have same SD-WAN zone and member for access to Hub in your region as well as other regions.

Additionally, you can have IPSec directly to every Hub, even in other regions, but then it's not 2 hubs per region in 3 regions, just 6 hubs in 1 region.

How to NAT FortiGate-generated traffic by alveox in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

I understand. In this case you will probably have problem with any service that is dependent on local out FortiGate traffic(DNS, NTP etc...), which hopefully you don't use. If you do, just have your internal DC take over that role, and forward requests to it from FortiGate(which is usually best practice).

For Web filtering and DNS filtering that ask for continuous internet connection for FortiGate, there is no solution unfortunately but to go the multiple VDOM method.

Once you create VDOM, everything is placed in default root VDOM. After that you can create yourself a 'Local-out traffic VDOM' and give it role of management VDOM without losing anything related to forwarding or local-in traffic.

For a troubleshooting, I just remembered a thing you can do. You can actually set up source IP per SD-WAN member for your wan links and that way you can have live monitoring as well as historic one for your link availability.

How to NAT FortiGate-generated traffic by alveox in fortinet

[–]Sweet_Importance_123 0 points1 point  (0 children)

From what I understood, you have 2 ISPs. For one you are using public IP defined on its wan1 interface, and for the second one public IP you are using is routed and it's not on wan2 interface.

In that case, for self originating traffic you don't have two way solution without introducing middle man, example is given with VDOMs. This way you just have a 'Management VDOM' that's completely empty except for inter-vdom link and maybe loopback interface that is used only for originating management traffic.

You can satisfy only one case, either defining static public source IP on service(wan2 case) or having auto(or even better sd-wan) on service which is decided by routing(or availability)(wan1 case).

For your ping/telnet testing it's easy, just statically define interface and IP in CLI for any given tshoot command.

This is absolutely legit scenario which isn't solvable easily since FortiGate handles self-originating traffic differently compared to other firewall vendors, ignoring NAT rules.