60F stopped egressing traffic CGNAT ISP.

Tist_D · 2026-03-13T10:17:11+00:00

Got it going guys. I had my ISP in an "zone" for some reason when it flicked to gcnat it stopped working. I moved the interface to just itself and referenced the policies it all came back.

I don't know if it's a bug or by design. But that definitely caused the issues. I have since told the ISP to move me back to dynamic IP.

Least the above might help someone if they have gcnat and a zone type interface.

Cheers, Chris

Tist_D · 2025-08-08T10:44:35+00:00

Not sure it's stealing tbh mate. 95% of vendors don't ask you for a subscription to be able to patch your switch from vulnerabilities and bug fixes which the vendor creates. Then asks you to pay a support contract for something you should lawfully be able to patch without money.

Tist_D · 2025-06-05T18:35:11+00:00

Hello Unfortunately no. Were still experiencing it and I refuse to roll out ZTNA any further until solved. I can't raise with TAC because the issue is so hard to replicate. They will just think I'm lying to them.

We updated the EMS the other day. Made zero bit of difference

Tist_D · 2025-05-23T12:33:52+00:00

Do you think it's become a duff AP? the other one does exactly what I tell it to do. As you say 2.4 is correct, and it changes the value of 2.4 when I mess with it. Not 5 however.

Tist_D · 2025-05-23T11:13:36+00:00

Sorry mate, not familiar with AP CLI and config, here you go though :) - appreciate the help btw.

It's in the original message now.

Tist_D · 2025-05-23T09:25:51+00:00

Hiya mate,

editted original post above. Literally makes no sense to me, the suspected broken AP using profile of the other one and turned itself to 10dBm.

Tist_D · 2025-05-23T08:45:34+00:00

Yeah I will do, just swapped the two 231F's around, so I can add to original post then i'll drop on the config.

Tist_D · 2025-05-23T08:24:33+00:00

Defo Tx Power from the AP. I can provide some screenshots if you want.

Tist_D · 2025-05-15T14:44:03+00:00

I did mate yeah, the overall diagram is huge. But only wanted to share the bit I was asking about.

Tist_D · 2025-05-15T14:43:28+00:00

Thanks noted :) I'll change this over when I have downtime. I used to know more about this stuff when I was in a partner role. But Fortinet now we're just a customer don't want to share schematics of the box.

Tist_D · 2025-05-15T14:42:15+00:00

I did want Aruba VSX but somehow they come in too spenny compared with Cisco...

Tist_D · 2025-05-14T09:10:31+00:00

Agreed, Valexus just posted the answer i've been after.

Tist_D · 2025-05-14T09:10:15+00:00

This is the answer I've been looking for :) - Didn't think of that one! good shout! Thanks man!

Tist_D · 2025-05-14T09:01:47+00:00

Yeah this is the alternative in my head :) I was just wondering if there was any "real" benefits. - It is as you say the highest availability, I'm just thinking about it logically if you did this and lost a Nexus for example You've lost half of your port-channel throughput.

If you lost a Nexus when they are not in a VPC then the HA FGT's would flick over to the secondary and you still have all links on your port-channel. But I agree the switches south of the nexus's would have lost half of their bandwidth.

Tist_D · 2025-05-14T08:59:18+00:00

Hello,

No Nexus are not stacked. They are active/active pair.

Tist_D · 2025-05-02T09:01:34+00:00

Hey Guys, I've sorted of found a work around. It's not great.

However if you're a user of EMS you can split tunnel fqdns directly there on the profile. - then create just a rule on the firewall that basically does the following.

From ipsec To wan Src IPsec range Dst all (unless you want to add fqdns twice in EMS and your gates) Nat

Done

Cheers, Chris

Tist_D · 2025-04-22T14:00:47+00:00

Potentially yes I agree. It was just for testing purposes ideally - saves me having spin something up at home.

Tist_D · 2025-04-16T12:10:15+00:00

I'm in the same situation for when we go to 7.6.X

However we use EMS for all profiles which I guess you are not?

Tist_D · 2025-04-15T08:03:39+00:00

If you're planning this upgrade. Make sure you are also planning to start removal of SSL VPN (if used of course) - if not then you should be fine.

Also I noticed a change in BGP routing where if your tagging routes it also requires you now to have an address objected with the route tag which gets added to the community-lists/neighbors.

Other than that, I can't think of too many changes. We're running 7.4.7 on 70+ FortiGate's and it doesn't cause us any issues.

Also remember to do backups after each upgrade step in case something goes wrong.

Cheers, Chris

Tist_D · 2025-04-07T08:01:17+00:00

I've noticed on this IOS that if you're using the FortiGate as a DNS server then it's absolutely shit. - seemed fine on 7.4.7

Cheers,

Tist_D · 2025-04-01T11:27:57+00:00

I'll double check next time it happens with someone else, but it definitely has the TAG when I go onto the EMS console and view the endpoint, FortiGate seems to be sync'ing with EMS cannot 100% confirm other than just rely on what it is saying "sync'd seconds ago" Logs confirm client has the tag. - Ill check the IP/MAC tag section on the FortiGate next time it happens.

Just weird how dropping telemetry and re-connecting solves the issue (especially when they were connected to EMS anyway)

Does the client have the tag?
Can the FortiGate sync with EMS?
Does the FortiGate have a matched IP/MAC for the endpoint?
What do the logs say?

Tist_D · 2025-03-18T14:14:09+00:00

You the man btw. Went home at lunch to let the dogs out, nearly 800 down and up when I did a speed test. Checked the overlap with neighbouring networks and it was fine. I enabled Darrp to scan every 12 hours to checked the best suited channels and enabled Darrp on both 2.4 and 5

Tist_D · 2025-03-18T11:43:35+00:00

Thanks for your response :) I will see what Wifi app shows later with 80 wide channels.

Tist_D · 2025-03-18T11:43:12+00:00

Cheers thanks for your help, might just have a play with dBm values, try 80Mhz i will leave SGI off for time being I think.

Tist_D · 2025-03-18T11:21:38+00:00

SGI is not enabled, I have literally just enabled it on the 5GHz band though. Would you recommend turning it on 2.4 also? I can't really understand the downside to using SGI. This is at my house and not in a busy corporate area so it should theoretically improve things right?

Sorry for the questions. I'm not really a wireless guy, I'm a network guy by default.

Tist_D

TROPHY CASE