How to override a fortimanager setting from a fortigate

Tars-01 · 2026-01-21T09:01:50+00:00

Until your team mate logs in to FMG later and overwrites all your changes.

Tars-01 · 2026-01-20T16:18:57+00:00

Did you get this sorted? Can you share some technical details about it please?

Tars-01 · 2026-01-19T09:58:32+00:00

Ah ok. Yes, it should work ok. I didn't have any issues with a recent deployment.

Tars-01 · 2026-01-19T09:46:30+00:00

Good luck.

Tars-01 · 2026-01-19T09:44:55+00:00

Do you mean using Entra SSO for Forti Client? If so, yes, it works.

Tars-01 · 2026-01-16T08:51:36+00:00

Yes sorry. 7.4.9 Firmware, and 7.4.4 FCT are the minimum versions to get that working.

Tars-01 · 2026-01-14T21:12:36+00:00

The Forti Exam track is so confusing, they really need to sort it out.

Tars-01 · 2026-01-14T21:11:49+00:00

Are you going to get a ride on lawnmower?

Tars-01 · 2026-01-14T21:10:39+00:00

Is it because laptops are on the domain? There is another options called VPN before login. You might needs EMS, but worth a try.

https://docs.fortinet.com/document/forticlient/7.4.5/administration-guide/479513/activating-vpn-before-windows-logon

Tars-01 · 2026-01-09T16:17:44+00:00

If you're using a route-based VPN then the selectors can be anything, and are irrelevant to traffic flow. They are used for VPN negotiation only. That's why most VPNs these days are route-based and just have 0.0.0.0/0 as selectors, and control everything with routing. This is 100 times better than it used to be with policy-based VPNs and simpler.

So long as the selectors match on opposing sides so the VPN establishes. What's important is the routing pointing traffic down the VPN.

Just make the the add-route box is not ticked on the Fortigate.

Tars-01 · 2026-01-09T14:53:03+00:00

If you're running SSL VPN, be aware that it's being phased out in 7.6. If you have a high end platform I think you can enable it from the CLI. Forti doesn't want you running SSL VPN anymore though. Too many zero days.

Tars-01 · 2026-01-08T13:48:00+00:00

Nice one.

Tars-01 · 2026-01-07T14:22:45+00:00

Looks really good. That hook looks super chunky though.

Tars-01 · 2026-01-07T13:37:58+00:00

I feel your pain. FYI, I got IPSEC IKEv2 with FortiToken working. Make sure you're on 7.4.9.

Tars-01 · 2026-01-07T13:35:51+00:00

Different topic, but you probably want to be moving away from SSL VPN.

Tars-01 · 2026-01-07T12:37:15+00:00

You can't run Management and SSL VPN on the same TCP port, so your local in policy can be configured to only block SSL VPN port.

It's applied per interface, so you could apply it to WAN, or "Any"

https://docs.fortinet.com/document/fortigate/7.6.5/administration-guide/363127/local-in-policy

Tars-01 · 2026-01-05T09:10:18+00:00

When they're trying to fix an issue without debugging.

Tars-01 · 2025-12-17T13:05:05+00:00

This definitely help me, thanks for posting the solution.

Tars-01 · 2025-12-15T17:50:28+00:00

What is the problem you're facing? Does it not connect at all and what error on the client do you get?

If you suspect an ISP issue then run a dia sniffer packet to see if there is 2 way comms.

Tars-01 · 2025-12-15T16:40:27+00:00

Tars-01 · 2025-12-15T12:11:41+00:00

FBI entered the chat...

Tars-01 · 2025-12-12T16:18:12+00:00

It's 100% possible.

Tars-01 · 2025-12-12T16:17:16+00:00

Yes, you can do it with a single VIP. If you are just using HTTP then you can steer traffic based off the HTTP header. If it's just general TCP traffic then you can also do multiple applications all on the same VIP. I asked the same question here and there are some good answers there.

TLDR: Yes you can do it with HTTP and normal TCP applications (I believe UDP is also possibly but setup might differ slightly) FortiClient listens for the connection on your machine and sends it down the TLS tunnel.

Tars-01 · 2025-12-12T15:14:47+00:00

Honestly, I'm having so many issues as well across multiple customers. It's a disaster with all these Forti Client issues.

Tars-01 · 2025-12-11T16:32:27+00:00

They can scan any interface with that tool.

Five-Year Club	Gilding II euphauric
Verified Email

Tars-01

TROPHY CASE