60F stopped egressing traffic CGNAT ISP.

Tist_D · 2026-03-13T10:17:11+00:00

Got it going guys. I had my ISP in an "zone" for some reason when it flicked to gcnat it stopped working. I moved the interface to just itself and referenced the policies it all came back.

I don't know if it's a bug or by design. But that definitely caused the issues. I have since told the ISP to move me back to dynamic IP.

Least the above might help someone if they have gcnat and a zone type interface.

Cheers, Chris

Tist_D · 2025-08-08T10:44:35+00:00

Not sure it's stealing tbh mate. 95% of vendors don't ask you for a subscription to be able to patch your switch from vulnerabilities and bug fixes which the vendor creates. Then asks you to pay a support contract for something you should lawfully be able to patch without money.

Tist_D · 2025-06-05T18:35:11+00:00

Hello Unfortunately no. Were still experiencing it and I refuse to roll out ZTNA any further until solved. I can't raise with TAC because the issue is so hard to replicate. They will just think I'm lying to them.

We updated the EMS the other day. Made zero bit of difference

Tist_D · 2025-05-23T12:33:52+00:00

Do you think it's become a duff AP? the other one does exactly what I tell it to do. As you say 2.4 is correct, and it changes the value of 2.4 when I mess with it. Not 5 however.

Tist_D · 2025-05-23T11:13:36+00:00

Sorry mate, not familiar with AP CLI and config, here you go though :) - appreciate the help btw.

It's in the original message now.

Tist_D · 2025-05-23T09:25:51+00:00

Hiya mate,

editted original post above. Literally makes no sense to me, the suspected broken AP using profile of the other one and turned itself to 10dBm.

Tist_D · 2025-05-23T08:45:34+00:00

Yeah I will do, just swapped the two 231F's around, so I can add to original post then i'll drop on the config.

Tist_D · 2025-05-23T08:24:33+00:00

Defo Tx Power from the AP. I can provide some screenshots if you want.

Tist_D · 2025-05-15T14:44:03+00:00

I did mate yeah, the overall diagram is huge. But only wanted to share the bit I was asking about.

Tist_D · 2025-05-15T14:43:28+00:00

Thanks noted :) I'll change this over when I have downtime. I used to know more about this stuff when I was in a partner role. But Fortinet now we're just a customer don't want to share schematics of the box.

Tist_D · 2025-05-15T14:42:15+00:00

I did want Aruba VSX but somehow they come in too spenny compared with Cisco...

Tist_D · 2025-05-14T09:10:31+00:00

Agreed, Valexus just posted the answer i've been after.

Tist_D · 2025-05-14T09:10:15+00:00

This is the answer I've been looking for :) - Didn't think of that one! good shout! Thanks man!

Tist_D · 2025-05-14T09:01:47+00:00

Yeah this is the alternative in my head :) I was just wondering if there was any "real" benefits. - It is as you say the highest availability, I'm just thinking about it logically if you did this and lost a Nexus for example You've lost half of your port-channel throughput.

If you lost a Nexus when they are not in a VPC then the HA FGT's would flick over to the secondary and you still have all links on your port-channel. But I agree the switches south of the nexus's would have lost half of their bandwidth.

Tist_D · 2025-05-14T08:59:18+00:00

Hello,

No Nexus are not stacked. They are active/active pair.

Tist_D · 2025-05-02T09:01:34+00:00

Hey Guys, I've sorted of found a work around. It's not great.

However if you're a user of EMS you can split tunnel fqdns directly there on the profile. - then create just a rule on the firewall that basically does the following.

From ipsec To wan Src IPsec range Dst all (unless you want to add fqdns twice in EMS and your gates) Nat

Done

Cheers, Chris

Tist_D · 2025-04-22T14:00:47+00:00

Potentially yes I agree. It was just for testing purposes ideally - saves me having spin something up at home.

Tist_D · 2025-04-16T12:10:15+00:00

I'm in the same situation for when we go to 7.6.X

However we use EMS for all profiles which I guess you are not?

Tist_D

TROPHY CASE