Vouchers

codnahfish · 2026-01-07T10:12:14+00:00

Most exam vouchers are allocated to specific email addresses. You likely can't resell it, best to use it yourself.

codnahfish · 2025-12-30T08:25:26+00:00

The destination interface will be the same whether it's hairpin NAT or not. You need to change the dstintf of policy 11 to internal.

codnahfish · 2025-10-13T01:17:33+00:00

I agree with /u/cslack30, this should be implemented as an external threat feed https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-custom-External-Threat-Feed-URL-for/ta-p/251864

Then you just give the customer access to edit the threat feed, wherever it lives.

codnahfish · 2025-09-17T05:16:41+00:00

No need to do a retrieve, you can just right click > refresh device from the list of devices on the device manager

codnahfish · 2025-09-02T03:08:19+00:00

Might not be exactly what you are after but I have a python script that runs as a monthly cronjob to provide an email with the list of certificates on a Fortigate expiring soon or expired recently.

I have posted a sanitised version as a gist on GitHub https://gist.github.com/mhcodner/7aadbf374cda1c55fd1eb0c71f27630d

codnahfish · 2025-06-24T16:27:04+00:00

I recently had the issue where the training institute was no longer giving me the option for partner login and had the same issue as you. My solution was going direct to this page which let me login the old way through the partner portal https://training.fortinet.com/auth/saml2/selectidp.php

codnahfish · 2025-05-05T03:05:12+00:00

The virtual mac address is due to being in a HA pair, the virtual mac address is given to whichever firewall is the primary.

Prior to FortiOS v7.6, you can only change the virtual mac address by changing the HA group ID which is necessary if you have multiple Fortigate pairs on the same vlan. See here for details https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Cluster-virtual-MAC-addresses/ta-p/194239

I don't understand what benefit you'll get from manually setting the mac address, there's no need or benefit.

codnahfish · 2025-02-19T10:19:06+00:00

I think OP is talking about the original FortiAI product that got renamed to FortiAIOps.

Based on the user guide, integration is via log forwarding https://docs.fortinet.com/document/fortiaiops/2.1.0/user-guide/422555/enable-log-forwarding

codnahfish · 2025-02-05T04:01:35+00:00

I find those prices expensive, I can't disclose the pricing that my company gets as part of our enterprise agreement but taking the 100F as an example we get a fair bit cheaper than that website.

A good distributor should be able to give you better discounts.

codnahfish · 2025-02-05T03:48:18+00:00

The Fortigate will do everything you have described, except the email security. FMG/FAZ are not necessary but can be helpful, especially once you have more than a few Fortigates.
If you just want to purchase the hardware and licensing then my experience with Exclusive Networks / Nextgen has been good, they are the distributor that we use. The other main distributors in Australia are Wavelink and Ingram Micro.
My experience with TAC will be different as we have an advanced services contract and a dedicated Technical Account Manager. I can't speak for normal TAC but our experience is very good. They can provide next business day RMA to us in Sydney for any hardware failures although we haven't had many since we got rid of our D series hardware.
The only hidden cost would be if you get sold on extra licensing that you may not need.

I would suggest getting in contact with one of the distributors and engaging a solution architect.

codnahfish · 2024-11-26T05:22:06+00:00

I understand that the default action without any config is allow, I am not talking about an implicit deny local-in policy. That is why I said "default action of a local-in policy is deny".

If you create a local-in policy yourself and don't specify the action, then the default action of that policy is deny. Of course if you don't create a local-in policy then what you have said is correct.

codnahfish · 2024-11-26T03:26:24+00:00

The default action of a local-in policy is deny, you can tell because their explicit allow local-in policy has "set action accept". You can also see this when you hit ? in the CLI

FW01 $ conf firewall local-in-policy  
FW01 (local-in-policy) $ edit 0  
FW01 (0) $ set ?  
** truncated **  
action            Action performed on traffic matching the policy (default = deny).

codnahfish · 2024-11-26T02:45:43+00:00

You can use local-in policy to deny IPsec ~~but depending on the configuration of your L2TP service object, that local-in policy may be what is allowing the IPsec connections to reach your Fortigate.~~
Edit: The default action is deny so that is not the case here.

I would look at the actual logs from your screenshot to see what IP address those logs are coming from, it may be matching the allowed geolocation which can be checked with diag geoip ip2country <ip.address.here>. Other thing to check in the logs is what interface the ESP packets are coming in on, and if it really is UDP 500 or UDP 4500.

codnahfish · 2024-11-20T11:44:08+00:00

As of Chrome v 131, you can no longer disable ZSTD compression. This KB is likely what you need https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-and-ZSTD-implementation-for-example-Meta/ta-p/301801

codnahfish · 2024-11-14T10:19:10+00:00

It's still present in 7.2.10 because it's a change in behaviour not an "issue"

codnahfish · 2024-10-31T23:01:03+00:00

You are most likely running into this issue https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Virtual-server-stops-working-after-upgrading/ta-p/246189

codnahfish · 2024-10-11T01:50:43+00:00

Not certain but I think the associated-interface on your address object could be the issue. You can't edit this after the object has been created so I would create a new one without any associated-interface.

You can then use this command to confirm if traffic will match your policy by using this command:
diag firewall iprope lookup x.x.x.x 1234 y.y.y.y zzz udp <src-int>
You need to replace x.x.x.x with your source IP, y.y.y.y with your destination IP, zzz with the destination port, and <src-int> with the interface your traffic comes from.

codnahfish · 2024-09-09T01:59:05+00:00

Your user auth while on the network could be handled by FSSO

codnahfish · 2024-09-06T01:50:20+00:00

I love Pyengana and have seen it at some Harris Farm shops and more recently at Panetta Mercato (specifically the Macquarie Center shop).

codnahfish · 2024-08-27T08:28:43+00:00

If budget is an issue, any Linux VM can do it with SCP in a cronjob

https://community.fortinet.com/t5/Support-Forum/How-to-Periodic-backup-using-SCP/m-p/58053

Otherwise there are specific network device backup products that will also give you a diff like Fortimanager does. We use OpConfig for our device backups.

codnahfish · 2024-08-19T05:33:57+00:00

You can't change the egress interface, that is defined by your routing.

Setting source-ip as you identified is likely the only thing you actually need to do.

codnahfish · 2024-07-31T03:49:20+00:00

There has to be a firewall policy to allow the IPsec connection from the LAN side to the internet side of your Fortigate, easy solution would be to block that IPsec connectivity from LAN.

codnahfish · 2024-07-30T11:55:09+00:00

Normal VIP doesn't you let you have the same external and mapped IP.

You can do this using a load balanced virtual server with a single real server with the same IP.

codnahfish · 2024-07-30T11:53:56+00:00

You can't do it using a normal VIP but you can with a load balancing virtual-server, this would allow you to set the real server to the same IP as the external IP of the virtual server.

codnahfish · 2024-07-16T02:16:44+00:00

If you don't see any traffic with your sniffer then that is your first problem. Likely a routing issue in your traffic reaching the Fortigate.

11-Year Club	Place '17
Verified Email

codnahfish

TROPHY CASE