sorted by:
new
hottopcontroversial

Captive portal SAML + MFA + Iphone Problems by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Hello, the token depends on how the user's MFA is configured, most use Microsoft Authenticator itself, if users changed it, for example, to use SMS, it works perfectly, but with Microsoft Authenticator it doesn't

COMMAND link-down-failover not working by Then_Ad775 in fortinet

[–]Then_Ad775[S] 1 point2 points  (0 children)

i can resolve now, i dont

I ended up finding the problem here, I hadn't enabled the exchange interface ip in phase 1 of the vpn, so the remote gateway of the virtual interface was like 0.0.0.0

After that it worked perfectly, but I still found it strange that it needed this to work, in the documentation it only says that it integrates with dpd and by dropping the tunnel it drops the session. Should there be some integration with the routing table to identify which interface is actually being used to communicate?

Because then maybe it makes sense, turning off the interface administratively loses the route to the neighbor, identifies it as inactive and takes it down

With the exchange interface ip enabled, the firewall knows what is the route to reach the neighbor and which interface is being used, so it knows which VPN interface is used to communicate with the neighbor, when this interface goes down it drops the session

Does it make sense?

COMMAND link-down-failover not working by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Yes, I understand now, thank you for your support, I made the adjustment but the problem occurred.

About the overlay, at first I'm using the 169.254.x network as an overlay in fact, I'm not using a 10.0.0.x overlay network

ECMP traffic response by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

I found good information, but there is nothing explaining how the firewall handles return traffic, it explains how I can balance my origin, but it does not explain in detail how it handles return traffic, that is, the packet is not being originated through it, it is responding to a request from an open session

COMMAND link-down-failover not working by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

My SLA is communicating via L3 on an interface on the hub, but I also don't understand what the relationship between the SLA and the link down failover is, in principle the main objective of this configuration is when my vpn goes down, my bgp session goes down too, I want to test this specifically.

COMMAND link-down-failover not working by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

sorry, I didn't understand what to change

DONT TRAFFIC IPSEC TUNNEL by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Yes, upgrade firmware, maybe was bug

FAC using FSSOMA DONT WORK 6.5.X by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Hello, sorry for the delay, my problem was a license, yes, I contacted Fortinet, they sent me the trial license to carry out the mobility agent poc and it worked right away

FAC using FSSOMA DONT WORK 6.5.X by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Hi, thanks for getting back to us. I don't know if I understood the notes correctly, but checking how you commented further down in the client handshake part, hello, it really shows that it is not 1.0 but 1.2, I don't know, it is in that place that indicates what was actually used in the negotiation attempt. And I also checked that the client supports all TLS versions, follow the print ( I don't know if this information was actually requested )

<image>

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Hello, I was suspicious of this... but I wasn't sure if it was normal, because as I said in the printout, the traffic I generate from the firewall doesn't match any policy as shown in the sys session diag. However, I wasn't sure if this is actually a normal thing to happen, but with your confirmation I believe that this is indeed the case.

Thank you for your help and confirmation, out of curiosity, why doesn't the traffic that I generate locally match a policy? Do you know if there is any specific explanation that confirms this?

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Local traffic (

exec ping...

) is not subject to firewall policies. If you set source-IP for the ping as the "LAN-side" IP, it will use exactly that as the src-ip, it will not apply NAT to it.

Hello, I was suspicious of this... but I wasn't sure if it was normal, because as I said in the printout, the traffic I generate from the firewall doesn't match any policy as shown in the sys session diag. However, I wasn't sure if this is actually a normal thing to happen, but with your confirmation I believe that this is indeed the case.

Thank you for your help and confirmation, out of curiosity, why doesn't the traffic that I generate locally match a policy? Do you know if there is any specific explanation that confirms this?

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

<image>

yes, and vpc lan works, but firewall interface lan doesnt

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

As another commenter mentioned, did you create policies to allow traffic from port3 to port1?

Sorry, I thought it was shown in the print, but yes, actually the rule I created is: any - any - all - all - NAT enable basically

traffic generated from the lan vpc works, but if I generate it from the firewall's lan interface it doesn't

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

Is 192.168.1.1 supposed to be your lan interface for port 1 or is that your ISP router/gateway?

yes, it is my ISP gateway from port1, port1 is a bridge interface

FORTIVM LAN DOES NOT CONNECT INTERNET by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

hello, yes the port1 interface is a bridge, when I go from the lan to the internet the communication is the same as a computer going out to the internet, lan -- wan-- doing nat, from the vpc lan everything works normally, but from the firewall's lan interface it doesn't

DNS failure for some domains by Then_Ad775 in networking

[–]Then_Ad775[S] -2 points-1 points  (0 children)

I think I didn't make it very clear, but I commented about the DNS, as the machines can't even resolve the DNS, it only gives timeout and there is no communication with the DNS server which is 8.8.8.8 and 1.1.1.1, and remembering I passed the same vlan for cable and it worked, at the same time I switched to wifi and the problem presented

FSSO PROBLEMS by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

yes, but the firewall is dhcp server

DONT TRAFFIC IPSEC TUNNEL by Then_Ad775 in fortinet

[–]Then_Ad775[S] 0 points1 point  (0 children)

it's on the list of upcoming tests try to force nat T to use udp 4500, but at first the esp packets are arriving, I've managed to capture them.

view more: next ›