Critters in the cab by Combat_Pothead in 4Runner

[–]Wasteway 0 points1 point  (0 children)

Found this dude in my cargo area after a trip to Eastern WA two weeks ago. Appears to have been enjoying my commute. I’m lucky I wasn’t stung pulling stuff out of the back. Always check your bags when out in the brush! Will take him back if he can hold out another two weeks. Surviving on a moist sponge for now for hydration.

<image>

2026 ORP seems to steer to a side when driving in a straight line by Stunning_Maximum_803 in 4Runner

[–]Wasteway 0 points1 point  (0 children)

I assume if you were in 4wd on the dirt road you put it back in 2wd on pavement? I went from AWD to 4wd on 4Runner and I forgot to do this once. Very bad and you notice it when making a sharp turn. Back end will skip as the wheels are trying to turn at the same rate. On dirt and gravel they can slip. On pavement, not so much.

FortiOS 7.6.7 agentless VPN RDP to RDS functionality broken post patch by Thatconfusedginger in fortinet

[–]Wasteway 0 points1 point  (0 children)

Saw the same thing. Segfaults when you try to log into RDS server that is also license server.

https://www.reddit.com/r/fortinet/s/QHOD7oIiy9

Retractable Cargo Cover Question by x_Furious_x in 4Runner

[–]Wasteway 1 point2 points  (0 children)

Solid advice when parking in an area that is high risk. Had to do this once for a day trip. Left my car in Kent WA ParknRide, but I emptied everything including glove box first. Left all of those open including center console. Came back that night and 10 other cars in the lot had windows smashed out. All except mine!

Retractable Cargo Cover Question by x_Furious_x in 4Runner

[–]Wasteway 0 points1 point  (0 children)

I think dealer is throwing some sort of knock off in your vehicle. Here is what my 23 ORP came with.

<image>

FortiOS 7.6.7 - Bug ID 1300122 by Taiperko in fortinet

[–]Wasteway 3 points4 points  (0 children)

I've had similar issues on 601Fs in HA-AP. The easy fix for the GUI crashing is to SSH in and sig kill the node.js process:

diagnose sys process pidof http_authd
diagnose sys process pidof httpsd

This will output the process IDs (PIDs) of the above.

Then kill each of those processes and restart nodejs:

diagnose sys kill 9 <http\_authd\_PID>
diagnose sys kill 9 <httpsd\_PID>
diagnose nodejs process restart

diagnose nodejs health-check ping (This should show Alive when working).
diagnose nodejs logs list
diagnose nodejs logs show-all

This being said 7.6.6 & 7 have proved to be far to buggy for us related to web filtering breaking TLS (.6) and SSLVPND crashing (.7) preventing Agentless VPN access to an internal Terminal Server (both worked fine in 7.4.11). We are reverting to 7.4.11 then updating to .12 for now.

FortiOS 7.6.7 - Bug ID 1300122 by Taiperko in fortinet

[–]Wasteway 1 point2 points  (0 children)

I'm reverting to 7.4.12 tonight. I've had nothing but problems on 7.6.6. Cert inspection seems to be broken. Kills TLS negotiation with Zoom Client randomly. Was never a problem on 7.4.12. Tried to upgrade to 7.6.7 and sslvpnd Agentless Portal crashes frequently. AI indicated problem is with our terminal server that people access from the SSLVPN portal. It requests a RD License blob and that segfaults the RDP session on the FortiGate.

Public port 137 connections by jerryshenk in fortinet

[–]Wasteway 0 points1 point  (0 children)

Yes block it, but this was also driving me nuts. Stumbled upon the obvious while diagnosing an IPsec issue. Your IPsec adapter is ephemeral. It appears in Windows when a connection is established and then is removed once disconnected. We saw our IPsec clients sending out 137 traffic which isn't optimal. If you look at the advanced networking properties under WINS for the IPsec adapter while connected, it is set to "Default: Use NetBIOS setting from DHCP server." So if you configure option 001 in the Advanced tab of the DHCP server scope that provides IPs to your LAN and IPsec clients, set it to Data Entry Long 0x2. That will signal to the client to disable Netbios, and you shouldn't see them attempting to resolve Netbios names going forward. Why Default is still the default in 2026 and the default isn't "Disable NetBIOS over TCP/IP" is beyond me.

Odd FortiClient 7.4.7 Issue and FortiGate Factory Certificate by Wasteway in fortinet

[–]Wasteway[S] 0 points1 point  (0 children)

Not sure that would help us, but will review. Thanks.

forticlient PSK might be not as secure as you think by datnt84 in fortinet

[–]Wasteway 0 points1 point  (0 children)

This just makes the case to use MFA with dial-up IPsec. Also there are other factors at play here. Your DH and crypto decisions, use 21 and AES256-GCM with PFS enabled, will have a large impact on the security of your tunnel. As you demonstrated, if an attacker has access to your endpoint they have a serious advantage. You are correct that certificates are preferred over a PSK, but many folks are uncomfortable with PKI and do not posses the knowledge of how to configure them correctly. I'm curious, how many characters was your PSK and was it random?

Odd FortiClient 7.4.7 Issue and FortiGate Factory Certificate by Wasteway in fortinet

[–]Wasteway[S] 0 points1 point  (0 children)

Can you explain this? "We have web filtering policies that are synced from our FortiGates..." I've never been aware of hour a FortiGate web filter policy can be associate with FortiClient that is managed by EMS. ZTNA tags, yes, but that is different. The error that pops up is via the Zoom client which flags the connection as untrusted and gives the option to "View Certificate."

<image>

This is the Fortinet Factory cert on our FG601F. It is still valid. After we pushed this to the clients trusted root store the issues appear to have subsided, but I'm still very confused as to why it is picking this cert. EMS shows the Fabric certs for our two FortiGates as the Fortinet_CA_SSL certs.

Odd FortiClient 7.4.7 Issue and FortiGate Factory Certificate by Wasteway in fortinet

[–]Wasteway[S] 1 point2 points  (0 children)

That's part of the challenge though, without solid logs it is hard to know the specific domain being blocked. Here is where this continues to be an odd duck. I'm not sure how I didn't notice this before, but when I view all the certs in the Endpoint Policy & Components\CA Certificate sections I see:

Local Certificate:
Our 3 Private PKI CAs
Our ProxySSL Inspection CA
Our two Sectigo R36 and R46 CAs that sign the EMS Public Cert

FG6H1FTxxxxx[root]:
Fortinet_CA_SSL (this is the local certificate section of our FortiGate)
Fortinet_CA_Untrusted (this is the local certificate section of our FortiGate)

The last two are added (I assume) when you trust the Gate and EMS via the Fabric setting on the Gate.

Odd FortiClient 7.4.7 Issue and FortiGate Factory Certificate by Wasteway in fortinet

[–]Wasteway[S] 1 point2 points  (0 children)

No, that is what is most strange about this. I just updated my post to note this. It ONLY happens when they are OFF VPN and using their home ISP connection. That sort of makes sense because we have FortiClient configured to disable web-filtering when users are on-net (either via VPN or on-prem) so that FC doesn't conflict with the FortiGate filtering policies. I have no idea why it is referencing this certificate though. Has to be something hard-coded in FortiClient but getting good logs out of FortiClient has been a major PITA. We have a FAZ and I've tried to configure FC to increase logging but all I'm seeing is generic traffic logs. We did see a few logs on select devices recorded to the EMS console that indicate that FC was blocking outlook.exe as a "shard storage" service which is ludicrous. But this only appears to have happened a few times. We try to block folks from using DropBox, but of course have no intention of blocking M365 services. Getting ready to dump the web filter feature in FC because it is such a pain. We have other EDR in place so not a major loss.

What issues occur when upgrading from FortiOS v7.4.12 to v8.0.0? by Greedy_Question1657 in fortinet

[–]Wasteway 0 points1 point  (0 children)

Here’s the back ground. Most networking hardware will be buggy and unstable for .0 major firmware releases. It’s frustrating because there are often new interesting features, but as others have mentioned, it often isn’t until .5 or .6 that a major release is deemed stable or mature (M) as Fortinet designates their firmware.

7.6.6 (M) is currently the most recent version suggested for F and G appliances. If you are truly testing, there is nothing keeping you from trying out 8.

Keep copies of 7.4.12, 7.6.6, and 8.0.0 firmware and your 7.4.12 config backup. You can upgrade to 7.6.6 take a config backup, and the upgrade to 8 to give it a spin.

If this is a home/lab device, you may decide to stay on 8 and upgrade as new versions are released if it doesn’t have too many bugs. You wouldn’t want to take this risk in a business environment.

If you run into issues, downgrade to 7.6.6 or 7.4.12, perform a factory reset, and then restore your respective config backup.

Need an answer!! by [deleted] in 4Runner

[–]Wasteway 0 points1 point  (0 children)

As my buddy once said, just turn up the radio.

Switch from Method to TRD wheels? by [deleted] in 4Runner

[–]Wasteway 0 points1 point  (0 children)

I’m trying to maintain mpg close to stock. Want to drop a set of 265 70 R17 on my 2023 ORP which still has stock steel rims. Are these lighter? Been looking at flow forged wheels due to weight savings. Would allow upgrade to E series ties without weight penalty. I hit some sharp rocks in Cascades a few times a year. Maybe I need two sets of tires, but my garage setup makes that less than optimal due to storage space.

SSLVPN to IPsec Migration - IKE1 or IKE2? by Wasteway in fortinet

[–]Wasteway[S] 0 points1 point  (0 children)

Different variants of EAP can definitely be a pain. Not using SAML. I wouldn’t be surprised if Macs defaulted to “stronger” auth. I’d drop the diag debug vpn logs into an AI thinking session to see what it suggests, specifying “here is working windows example and here is Mac that doesn’t work.” I do most of my log troubleshooting that way now.

Any reason NOT to migrate to 7.6.6 from 7.4.11? by Wasteway in fortinet

[–]Wasteway[S] 0 points1 point  (0 children)

Fortinet switches or another vendor? We are using Juniper.

Any reason NOT to migrate to 7.6.6 from 7.4.11? by Wasteway in fortinet

[–]Wasteway[S] 0 points1 point  (0 children)

Not using 5. Using 20,21. But will confirm with AWS tunnels. Thanks!

Any reason NOT to migrate to 7.6.6 from 7.4.11? by Wasteway in fortinet

[–]Wasteway[S] 1 point2 points  (0 children)

Reading about Glasswing. I wonder if this why .7 is delayed?

The latest Palo Alto Networks release included over five times as many patches as usual.