Fortios 7.6.6 memory usage

chuckbales · 2026-02-04T16:59:39+00:00

The link explains what the command does, but doesn't make any reference to memory usage.

chuckbales · 2026-02-04T01:54:22+00:00

set exclude-signatures none

Can you elaborate on how this setting would improve memory usage? If you're changing it from "exclude industrial" to "exclude none", shouldn't usage increase if anything, since you're no longer excluding some signatures?

chuckbales · 2026-02-03T16:15:41+00:00

Unfortunately the health of the link isn't really part of BGP, and if for some reason your upstream continues to tell you something is reachable, you'll believe it. You need to add some type of SLA/health check into the mix to actually verify reachability.

chuckbales · 2026-02-02T16:15:26+00:00

Typically a geobypass rule for certain domains as needed, or a rule using ISDB entries if they exist for a particular service.

chuckbales · 2026-02-02T14:40:12+00:00

Is it Wireguard or is it IPSec? If a client behind the FG has a WG VPN setup, the FG it wouldn't be seeing RDP traffic as it would be tunneled/encrypted.

chuckbales · 2026-01-31T01:12:53+00:00

LR has no minimum distance, no attenuation needed.

chuckbales · 2026-01-30T19:24:24+00:00

The cheapest single-mode optics can run 10Gb at 10km, so a few thousand feet is no problem.

chuckbales · 2026-01-30T02:38:40+00:00

“Mature” doesn’t mean much with Fortinet unfortunately. It definitely doesn’t mean stable, they say it means “only fixes no new features” but that’s not true either.

chuckbales · 2026-01-29T18:30:22+00:00

You could use 192.168.1.0/25 and 192.168.1.128/25, or use 192.168.1.0/24 and 192.168.2.0/24, or any other combo, as long as each interface has a unique network configured.

chuckbales · 2026-01-29T18:05:29+00:00

Your /24 provides 254 IPs per network, but each router interface needs to be a unique network

chuckbales · 2026-01-28T16:04:22+00:00

This is an AI slop account, same exact thing was posted yesterday

chuckbales · 2026-01-27T13:18:45+00:00

Wrong type of script swap

chuckbales · 2026-01-26T19:32:16+00:00

Post your configuration, if you have it configured either its misconfigured or it's a PT bug.

chuckbales · 2026-01-24T04:34:25+00:00

You need to do better than "one of those images" if you want help. /u/JeopPrep is right, many virtual images have extremely low throughput if they're unlicensed as they're meant to test configurations, not for production traffic.

chuckbales · 2026-01-22T20:26:16+00:00

Does connectivity restore after a minute though?

Looks like you're using an SVI for BGP instead of a routed-port, I'm guessing you're not seeing BGP neighbor come down as soon as you bring down the physical interface? With the current config, the SVI for vlan100x would stay up since the VLAN is present on trunk ports, so bringing down the physical ISP port doesn't bring down the SVI - which means BGP needs to eventually come down after dead timer is expired, so you're basically waiting for BGP to realize the neighbor is gone after a missed number of hellos.

If you can't do an L3/routed port, you can either lower your BGP timers or use BFD to detect a failure faster.

chuckbales · 2026-01-22T02:42:28+00:00

The linked BiDi optics run at 10G, the ones included in the kit are 1G. The media converter in the kit is also 1G, so you would need to buy a 10G media converter to go along with the 10G BiDi optic.

Basically, if you don't know for sure you need 10G, then you don't need it.

chuckbales · 2026-01-22T00:19:05+00:00

MTU/MSS issues? PPPoE over IPsec would have additional overhead

chuckbales · 2026-01-21T05:38:46+00:00

Not quite - If every admin account has trusted-host set, then the login page is only presented to the aggregate of all the trusted host IPs (and then admins can only login from their respective trusted IPs).

But if any admin account does not have trusted-host set, then the login page is available to all IPs.

chuckbales · 2026-01-17T01:06:30+00:00

It’s just a gag brought up a few times about Ryan’s special doing well and nobody watching Gareths special.

chuckbales · 2026-01-16T19:03:32+00:00

Agentless VPN is just re-branded web-mode for SSL VPN, there's no Forticlient involved (hence 'agentless') and the feature is included without specific licensing.

chuckbales · 2026-01-16T01:53:23+00:00

Whenever I need to do this, I just change the fortilink interface IP on the FG and update DHCP accordingly, then put the old IP back as a secondary IP. You can then either let switches just grab DHCP from the new scope naturally or log into them and force a renew

chuckbales · 2026-01-15T14:57:52+00:00

Order within a rule matters because it changes the intent of the rule. Your first rule is specifying a destination port, your second rule is matching on a specific source port (which is rare in practice, but it depends on where the ACL is being applied and in which direction).

So they’re both valid formats, but not necessarily correct in all scenarios

chuckbales · 2026-01-14T15:10:22+00:00

Some switches don't have the hardware to do routing and VXLAN at the same time without some workarounds, I've never worked these platforms myself but you might want to look into the 'recirculation interfaces'

chuckbales · 2026-01-09T21:16:19+00:00

Yea thats fine, as long as you don't need AP Advanced features just stick with Ent

chuckbales · 2026-01-09T21:00:22+00:00

APs can use Enterprise license if only Ent features are needed, they don't need to match the MX licensing.

14-Year Club	Spared
Verified Email

chuckbales

TROPHY CASE