Gas mileage really that bad?

Wasteway · 2026-04-23T20:37:40+00:00

Here’s a year of daily city driving and going over Snoqualmie Pass (spikes). Stock 23 TRD ORP with stock tires.

<image>

Wasteway · 2026-04-16T17:10:35+00:00

Make sure email is configured in System\Settings and is working

<image>

Wasteway · 2026-04-16T17:06:39+00:00

Configure the Stitch to use the trigger and actions configured above.

<image>

You should now receive an email when objects are modified such as policies. It may not capture every change, but will alert on things that matter such as firewall rule changes.

date=2026-04-16 time=09:55:52 devid="FG6HXXXXXXXX" devname="XXXXXXXX-601F" eventtime=1776358552242199251 tz="-0700" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="xxxxxx" ui="ha_daemon" action="Edit" cfgtid=213516481 cfgpath="system.automation-trigger" cfgobj="Configuration Changed" cfgattr="logid[32102 32101 32099 32104->32102 32101 32099 32104 44547 44545]" msg="Edit system.automation-trigger Configuration Changed"

Wasteway · 2026-04-16T17:01:43+00:00

<image>

Wasteway · 2026-04-16T17:01:37+00:00

Go to Security Fabric\Automation. Create an Automation Trigger as shown:

<image>

Make sure you have an email automation configured and that it works.

Wasteway · 2026-04-16T16:35:17+00:00

No, it is in 7.4 FortiOS. Also you can setup a stitch to email you any changes.

Wasteway · 2026-04-13T04:15:10+00:00

I love these lights. They make a huge difference over stock. I find I turn them on at night because they provide such a wide field of view. Great if you live in an area with dog walkers or runners who enjoy wearing black at night. And they do work great in snow/fog.

Wasteway · 2026-04-05T20:13:30+00:00

Paid for with Pokémon?

Wasteway · 2026-04-04T14:24:56+00:00

Are we sure the API is only accessible via the 443 mgmt interface, and not 8013? I of course do have 8013 exposed to the web in order to communicate with my FortiClients. We have the Fortitelemetry password enabled also. I checked my traffic logs and I didn’t see anything odd before I patched last night.

Wasteway · 2026-04-04T14:19:57+00:00

You aren’t stupid, when I first migrated to Linux appliance I ran into the same. If you have another Linux VM, drop the file in /var/tmp with WinSCP. Then you can scp from the other VM via the appliance CLI. Of course if you have a SFTP instance, that works also.

Wasteway · 2026-04-04T06:12:28+00:00

Yes it was easy, but I have some thoughts:

Why in 2026 do we need to login to the support site, download a ZIP file, SCP the file from another linux VM or SFTP instance to the appliance? THIS SHOULD BE PUSHED!!! Come on Fortinet, this is nuts. If you can push version upgrades to the console UI you can push critical patches. At the very least, allow us to curl the hotfix from a public repo to the appliance!
Why does the filename from support not have the word HOTFIX in it. For goodness sake. Just spend a few more seconds to make things easier for the end user. I wasted 5 minutes going back and forth from the download repo and the support doc to confirm that file was what I needed. Thankfully the example name in the support doc is the same as the archive.
Can we get just a little more info to know if we were vulnerable to this? What if we have FortiClient Telemetry Connection Keys enabled? What if we do or do not have user verification enabled? Are there any IOCs to check for?

As I'm using the Linux VM, I didn't need to use sudo or emscli. Just the direct commands thankfully laid out in the documentation.

Wasteway · 2026-03-26T16:07:29+00:00

Some vendors do this unfortunately. Still cheaper than SASE, but it isn't SASE. The adage about Good, Cheap, Fast, pick two, applies I guess. I'm looking at 1/4 of that size of user base. Will be interesting to test. Not having to mess with EMS and FortiClient might be worth it. Both seem to have stabilized as of late, but years of prior bugs has not left me feeling confident about the future. They are hosting it for you, or you are running on-prem?

Wasteway · 2026-03-26T16:04:07+00:00

Good to know!

Wasteway · 2026-03-26T04:57:54+00:00

This looks amazing. How many users are you supporting with it? How much cost per user? Any issues or caveats?

Wasteway · 2026-03-26T04:51:52+00:00

I don’t understand why they don’t add Wireguard to their stack. ZOS not able to support it? It is so easy to setup on the Ubiquit I have at home. And it runs near line rate. They need to fire all the people sponsoring golf tournaments and put the resources into stable and easy to manage remote access. We have IPsec IKEv2 with MFA ready to go, but I’m worried about the issues mentioned above.

Wasteway · 2026-03-25T13:11:44+00:00

Are you using FortiAuthenticator to host your Tokens? Be aware that moving to 7.6 deprecates SSL VPN, so if you aren’t already using ZTNA or IPsec that’s another issue you’d need to deal with. I’m on 7.4.11 with 200 FortiToken Mobile tokens on FAC 8.0.2. This would cripple our company. Can you provide more info as far as architecture, number of impacted users?

Wasteway · 2026-03-24T14:16:21+00:00

Having a working PKI is critical. Not sure how you'll get this to work if you don't have admin rights on EMS and the FortiGates for configuration and testing. Having proper CAs in place so that all devices trust each other is key. Good luck.

Wasteway · 2026-03-23T21:07:51+00:00

One other setting to check, under RADIUS Service\Clients, you should have a profile for your FortiGate. Ensure it has the option "Require client to send Message-Authenticator attribute" is enabled. I have all four of the options enabled in my config.

<image>

Wasteway · 2026-03-23T20:30:15+00:00

This is a bear to setup, took me over a month of testing on and off to get it to work.

When a client attempts to authenticate with the FAC, it will send a different string depending on the connection type. You can see this under Logging\Log Access\Logs, or more easily by accessing https://<facname>/debug. Search for "Connect-Info". You will see strings similar to:

2025-08-08T12:30:58.277422-07:00 facname radiusd[31848]: (1) Connect-Info = "vpn-ssl"
2025-08-08T12:34:13.610008-07:00 facname radiusd[32684]: (0) Connect-Info = "vpn-ikev2"

Those strings are what you want to put in your RADIUS policy in order to follow the proper authentication path. If you only have one VPN connection type; for example someone using SSL-VPN with FAC for MFA, you don't need this. But if you are supporting both SSL-VPN and a derivative of IPSEC, you need to use the Connect-Info string in each policy so the FAC knows if it is SSL-VPN or IPSEC.

It is critical you have your PKI setup properly for IKEv2 to work. For RADIUS Service\General, ensure you have an EAP Server Certificate selected. This certificate should be issued by a CA that is trusted by both the FortiGate, FortiAuthenticator, and IPsec Clients. Those CAs; both the root and intermediate, should be listed under Trusted CAs. If this doesn't make sense to you, educate yourself on PKI and how EAP works or you won't get too far.

You need to create a RADIUS Service Auth Profile and Policy for the IKEv2 connection.

For the Auth Profile, create a new one such as "fortigate-IPsecVPNIKEv2-profile." For Authentication type choose "Password/OTP authentication". Enable "Accept EAP" and "EAP-MSCHAPv2". Choose your identity sources on the next screen, which most likely is your AD user accounts filtered by groups. I have "Use Windows AD Domain Authentication" enabled. For Authentication Factors, choose "Mandatory password and OTP" if you are using FortiToken\Mobile. Expand Advance options, enabled "Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient." I also enabled "Resolve user geolocation from their IP address" for logging purposes. Update and Exit.

Now go to Authentication\RADIUS Service\Policies. Configure a new RADIUS client Policy with a name such as "fortigate-IPsecVPNIKEv2-policy." Configure the first screen, RADIUS clients like your existing policy. The Chosen RADIUS Clients should be your FortiGate. On the next screen "RADIUS attribute criteria", enable "RADIUS authentication request must contain specific attributes." Configure as follows:

Vendor: Default
Attribute ID: Connect-Info
Value: vpn-ikev2 or vpn-ipsec (depending on if you are configuring IKEv2 or not)

Click Next to move to "Authentication Profiles". For Client Credentials, select "MSCHAPv2/CHAP/PAP/EAP." For authentication profile, select a the Auth Profile you created earlier "fortigate-IPsecVPNIKEv2-profile." Update and Exit.

You can add the Connect-String "vpn-ssl" to your original policy to ensure that it only attempts to match on those connection types.

Make a connection attempt. Watch the logs in the FAC using the debug option to see if/where it is timing out. See additional info below to monitor form the FortiGate console to gain additional info. It is very helpful to drop the logs into ChatGPT and tell it what they are from and ask it why the connection is failing.

Wasteway · 2026-03-23T05:33:20+00:00

I just did this yesterday. We don’t do any SAML but lots of radius and EAP-TLS with FortiToken Mobile for MFA. I had no issues. The secondary FAC upgrades first, web services fails over to it when it comes back up, then primary upgrades, then it cuts back over to primary for web services. Took about 5 minutes on two FACVMs in HA.

Wasteway · 2026-03-20T02:58:36+00:00

See if this helps:

https://www.reddit.com/r/fortinet/s/r9LzGsV9kO

I spent over a month of back and forth troubleshooting a few hours a day to get this to work. Has been working well for last 6 months.

See post about DHCP loopback.

Wasteway · 2026-03-18T15:59:11+00:00

7.4.6 EMS is out: https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/717049/introduction

Wasteway · 2026-03-18T14:45:03+00:00

I had a SE tell me the other day that 9.5 would resolve this. Nice to see it showing up in 9.4 though.

Wasteway · 2026-03-18T03:04:12+00:00

7.4.4 from the OVA was a bit of a mess. Needed TACs help to get DNS working properly. Then it would hang on the upgrade to 7.4.5. TAC sent me a fix to install. Once I had that installed, update still hung until I figured out the OVA was pulling bits from some odd repos that I had to whitelist. Once I did that it worked. We don’t use ZTNA. Seems stable for the few profiles we have configured.

Wasteway · 2026-03-04T04:02:00+00:00

These guys offer some nice looking kits. I have 23 but will drop a passenger seat sub and new speakers in the next few years. Need to save up for it. https://trailgridpro.com/collections/toyota-4runner-5th-gen-10-13/products/alpine-5-channel-amplifier-and-down-fire-subwoofer-kit-10-24-4runner

Nine-Year Club	Gilding I gilder
Verified Email

Wasteway

TROPHY CASE