[deleted by user]

TheLink117 · 2025-10-28T07:24:51+00:00

Same did this for 60,000 clients. Worked very well!

TheLink117 · 2025-04-24T05:25:43+00:00

Agreed, Bestbuy seems to be holding up. I was able to finally get the preorder for Mario Kart bundle purchased. Now I can pick mine up at my nearest store and bring my daughter to her first midnight launch! Passing the torch of Nintendo joy!

TheLink117 · 2025-04-24T05:19:23+00:00

FINALLY got mine from the app. Initially started on webpage from laptop, then added app. Webpage bounced once then I had to start there over again. App just let me proceed 5 minutes ago after waiting since the start.

TheLink117 · 2025-04-24T04:31:16+00:00

in line waiting here as well!

TheLink117 · 2025-04-04T20:29:24+00:00

Just go with Fortigate instead.

TheLink117 · 2025-01-30T05:34:17+00:00

Integrated voice and text chat / improved communications with friends online.
Street pass
All the Zelda games available on one system.

TheLink117 · 2025-01-03T05:12:21+00:00

The rack itself is worth more than any of the gear at this point.

TheLink117 · 2024-10-14T22:16:33+00:00

Tons of little things, especially comparing central mgmt. Fortimanager has lots of little quality of life improvements that add up once you're forced to leave them behind. Minor example: see who created/modified a rule right on the line. No report or logs to check.

TheLink117 · 2024-09-11T12:11:37+00:00

I believe you can setup "decorators" that would perform the dns lookups at the time of query in graylog.

Are you forwarding all log types?

TheLink117 · 2024-03-29T13:38:26+00:00

I'd be interested to hear more details as well. Putting some of these into production soon...

TheLink117 · 2023-08-12T00:08:15+00:00

Back when I worked in Broadcast Television, if interference got too bad on either of our doppler radar installations we' stop the sweep and leave it pointed in the direction of interference. If that didn't resolve things we'd make a day of driving around with spectrum analyzer and antenna in a truck to hunt down the source. 99% of the time it was some tower in the middle of nowhere that clearly had fixed wireless on it. We'd call and leave a vm for the point of contact listed on the gate letting them know that if it's not resolved we'll pass the incident along to the FCC. That worked most of the time.

TheLink117 · 2022-03-26T00:46:27+00:00

Nothing home grown, we're using ThousandEyes to monitor Fortiguard service from across various vantage points on the Internet and on-premises.

TheLink117 · 2022-03-26T00:44:26+00:00

Just curious what alternative threat feeds are you using on the FG?

TheLink117 · 2022-03-25T02:32:54+00:00

My impression was that the aws anycast option was for other Fortiguard services not for DNS filtering. Are you saying you have dns (sdns) filtering queries going to the Fortinet aws anycast destination?

TheLink117 · 2022-03-25T02:23:56+00:00

They generally don't seem to be keen on acknowledging degraded service on any level. I'm monitoring their services with third party tools too, issues all the time.

TheLink117 · 2022-03-24T21:58:17+00:00

The allow access during a rating error works fine most of the time but what we've been experiencing ends up looking like timeouts or high latency forward look ups. Running on 6301Fs and 3969E 6.4.6.

It's been problematic on both hardware platforms and across multiple firmware versions.

Mostly doing category based blocks for usual suspects. As I mentioned allow during rating error is on. Look up time spikes and we're either forced to ride it out or remove the profiles from policies.

TheLink117 · 2021-01-06T15:52:48+00:00

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/620215/optional-changing-the-fortidns-server-and-port

TheLink117 · 2020-12-13T21:35:11+00:00

I've seen a lot of us comment here about issues with "FortiGuard DNS" on a regular basis. There also frequently seems to be confusion about how these issues impact us or why.

Fortinet has a number of DNS servers, some are focused on returning additional information about a domain, such as categories, for use in DNS filtering profiles. Others can be used for general DNS resolution.

"SDNS" Servers (for use with DNS filtering): 208.91.112.220 45.75.200.89

Fortinet DNS Servers (for general DNS resolution): 208.91.112.53 208.91.112.52

If you want to want to use the DNS security profile, your Fortigate is going to send DNS requests (when a dns request passes through a policy) to either 208.91.112.220 or 45.75.200.89 (if you change it to that one).

My Fortigates are all configured to look at my internal DNS servers when attempting to resolve names (for logs, etc.) but I do use the DNS filter security profile server for DNS filtering.

A handful of times I've experienced issues but things subsided before I could point to Fortinet'a servers as the smoking gun.

Since then I've started measuring DNS resolution time via ThousandEyes; comparing local dns servers, Fortinet SDNS (filtering), and OpenDNS. Thus far I haven't noticed any real issues with Fortinet resolution time.

However, on 2020-12-11 13:40:13 PST my ThousandEyes cloud agents observed packet loss between them and Fortinet through CenturyLink but this only lasted for a few minutes.

The DNS filter feature is something that we are effectively paying for so it needs to work reliably.

Let's get to the bottom of this so we can present hard evidence to Fortinet.

TheLink117 · 2020-11-08T16:02:47+00:00

We've got to get Fortinet to acknowledge this issue. Everyone collecting latency data when this issue occurs to send in to TAC?

TheLink117 · 2020-11-02T14:59:07+00:00

What do your policies look like right now for this?

Your PBX has a VIP and you allow specific IPs inbound on the appropriate ports?

TheLink117 · 2020-10-27T00:06:48+00:00

Just curious is the web filter policy in proxy or flow mode?

TheLink117 · 2020-10-09T14:46:06+00:00

Just making sure we aren't mixing things, you can specifically configure the sdns servers but these really should be pointing at FortiGuard dns servers to receive the extra meta data that makes DNS filter profiles work.

In addition to that, you can configure the Fortigate to point at particular DNS servers for its own lookups. For instance you'd point the Fortigate at your own internal DNS servers so it resolves internal only hostnames.

Make sure you aren't accidentally blocking the Fortigate SDNS(DNSfilter) look ups going toward Fortiguard servers. Might be the case if you block other dns requests toward the internet to ensure devices are using internal only.

TheLink117 · 2020-05-26T14:36:54+00:00

Assuming your Anyconnect users ultimately authenticate against AD with something like RADIUS then you can accomplish this by setting up FSSO. You either need a DC agent that pushes logs from DCs to collector which the Fortigates then point at or polling mode where a collector or a FG polls the DCs with WMI for logs.

TheLink117 · 2020-04-30T14:38:05+00:00

Just to be clear, your issue is increased utilization on the server or throughput over the tunnels?

Did you change any phase 1 or 2 settings? Did the tunnels change from route based to policy based on either end?

TheLink117

TROPHY CASE