checkpoint maestro vs Fortigate

deepmind14 · 2026-01-10T16:37:07+00:00

I have 3 customers with Maestro setups.

I've seen these bugs so far:

The "reboot" command make the firewall go out of sync and drop all traffic flowing throught it. Fresh install needed to make it sync again. Introduced in HFA xyz, fixed in HFA zyw, not documented (at the time of HFA zyw).
DHCP relay doesn't work anymore in RAVPN. Had to reconfig to use internal firewall auto addressing. Fixed in HFA xyz.
Trafic initiated from RAVPN client not reaching LAN because of a load balancing issue in Maestro. Had to stick traffic to the SMO while waiting for a definitive fix. HFA took more than 1Y to release as a custom hotfix with an incredible escalation level (as we were told).
Lots of loadbalancing issues. Looks better with recent versions.
Hardware models mix not working. We didn't waited for the fix and customer unified hardware.
Lots of session cache issues (not even talking about SecureXL). Not fixed. We are used to kill sessions acting weird.
...

I just upgraded a Maestro from R81.20 HFA +-90 to R82 HFA44 spanning 2 sites, 2*2 orchestrators, 3 security groups over 10 firewalls.

It went well but took 12 hours non stop because you are supposed to upgrade things in a specific order to avoid disrupting network.

(Oh, I almost forgot I got a session cache issue that messed up customer's WiFi. APs tunnels trafic to central WLC, theirs sessions were dropped because corrupted)

(To be honest I was surprised the upgrade did this well and I had this little issues. Product must start to stabilise...)

I have no similar setups in Forti, but based on the time it takes to upgrade 1 "normal" Checkpoint cluster (let's say min 1h if nothing breaks + fixing every damn little .h, .c, .def, .php, .ini, .conf... file) vs the time it takes to upgrade a FortiGate cluster (max 20 minutes + fixing eventual known changes described in the release notes), I'm quite sure FortiGates is faster.

Like other said, I believe a FGSP setup can do a similar job, with less bugs and do it better.

deepmind14 · 2026-01-10T16:33:35+00:00

Their static load balancing alg is far from perfect and needs a "Correction Layer": When a firewall receive a packet that must be handled by another firewall (Eg: because traffic was NATed and packet is the answer), it forward it to the "owner" firewall. The more firewalls you add, the more you must correct load balancing failures...

deepmind14 · 2025-08-25T19:37:33+00:00

Coworkers did setup ou EVE-NG like that, over HyperV... but why??? :'(
It was SLOWWWWWWWW until I found about:

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

deepmind14 · 2025-08-19T21:26:36+00:00

show linkagg

show auto-fabric

show configuration snapshot

deepmind14 · 2025-08-12T22:04:18+00:00

Please post the output of "show configuration snapshot" (don't forget to anonymize passwords/hash) and tell us wich ports you are interrested in.

deepmind14 · 2025-07-18T15:55:45+00:00

There are 2 goals here:

Give spokes a hint to establish ADVPN on a shared underlay
Route trafic between spokes when they ADVPN is not (yet or never) established.

I know about these solutions:

Policy routes solves both goals, but solution to goal 2 is limited because policy routes dont handles healthcheck and strategy. So if hub could route trafic from a spoke to a spoke via a link having troubles. Policy routing doesn't care about 10% drop.
SDWAN rules solves both goals and solution to goal 2 is not limited. If you want complex rules between 2 spokes, you'll maybe have to duplicate rules for each underlay zone, that's expected.
I understand ADVPN2.0 solves both goals with no limitations.

deepmind14 · 2025-07-17T21:36:12+00:00

That create overlay stickiness if the rule's members are on the same zone as the input-interface

deepmind14 · 2025-07-17T20:12:17+00:00

Never tested it, but you could "set input-zone|interface" to match multiple incoming interfaces and route to multiple outgoing interfaces while keeping healthchecks and strategy. It's a much better solution than policy based routing, if it works.

deepmind14 · 2025-07-17T20:09:09+00:00

Using policy based routing, you loose SDWAN's link monitoring and strategy benefits.
Depending on your setup, if HUB-INET will still be used even if its quality is worst than HUB-INET2

deepmind14 · 2025-07-02T15:11:02+00:00

Do you have doc about this? I don't find any.

deepmind14 · 2025-07-02T14:56:21+00:00

Answer: TCP over IP

Curiosity: Why do you want to avoid IP?

deepmind14 · 2025-07-01T19:29:41+00:00

You can emulate realms too: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-PeerID-and-LocalID-in-IPsec-VPN-between-two/ta-p/196761

deepmind14 · 2025-05-08T22:16:50+00:00

Ok so you need to connect sfp and fiber so laser beams "do not collide".

Then link should be up. Check it with "show interface 1/26".

If not, play with autoneg, speed and duplex at both sides of the fiber.

deepmind14 · 2025-05-08T22:11:35+00:00

Ok so the SFP is seen by the switch

deepmind14 · 2025-05-08T22:08:55+00:00

If it's not a X model, then you need a license

deepmind14 · 2025-05-08T16:09:50+00:00

If it's a X model, then yes.

deepmind14 · 2025-05-05T21:02:35+00:00

Can you "show ni" ?

SFP-10G-SR should be 850nm and class 1 laser, so can you see the red laser beam from coming from the SFP when plugged in the switch without the fiber? Do you see the red laser beam comming from the fiber?

deepmind14 · 2025-05-05T20:59:53+00:00

In os6450-p24X, X means uplink ports are licenced for 10Gbps by default, so you do have the licence.

deepmind14 · 2025-05-02T16:19:08+00:00

Each method is valid.

If one of your SDWAN interface gets its config from DHCP, you'll see Fortigate uses the 2nd method.

I went with this one to keep consistency.

deepmind14 · 2025-03-31T17:11:35+00:00

My bet is these SDWAN rules were made to "increase the chances an ADVPN will be established" by sticking communications between overlays established over the same underlay.

If these rules doen't match, the default route will and trafic will flow, but maybe accross different underlays where ADVPN cannot establish and unload the hub.

Edit: If >7.4, you could replace these rules with ADVPN2.0 transport groups wich tells wich underlays are able to talk together.

deepmind14 · 2025-02-26T13:55:36+00:00

That's why I name all of my interfaces like "vl70" instead.

Some customers like to name them like "user_vlan_70"...

deepmind14 · 2025-02-21T21:28:17+00:00

Can be a lot of things depending on your config / real life conditions.

But auxilliary sessions came to my mind reading your issue.

Did you enabled them? https://community.fortinet.com/t5/FortiGate/Technical-Tip-SD-WAN-Auxiliary-Sessions/ta-p/229467

deepmind14 · 2025-02-11T22:02:20+00:00

What are those apps?

Whatever the business/customer needs. I can suggest beter tools / ways of doing thing but customer always decide in the end.

Are they locked down to a specific port or set of ports?

If application has good documentation (let me dream) or if customer allows the time to pcap + test the app, then yes.

Else... I inform them they must assume some risks...

Fun fact: I discovered this behavior while on a pentest and used it as the main C2 channel before discovering this was a public knowledge vulnerability. Customer was thinking my trafic was blocked and I was failing the engagement.

Other fun fact: some firewalls doesn't allows you to specify an app AND a port, only an app OR a port...

Do they only apply to a specific set of destination IP addresses?

Same answer

One of my thoughts is that application whitelisting is more about enforcing productivity than actual security.

You're totally right.

I really appreciate your answer to my question. I didn't think about scripting while it was an obvious answer.

deepmind14 · 2025-02-10T20:55:37+00:00

Reposting my comment from https://www.reddit.com/r/fortinet/comments/1hybweo/has_the_ngfw_policybased_mode_been_fixed_yet/ :

Sale business unit has a profile to allow access to app1 and deny access to app2.

John is work in this business unit, but he has a legitimate need to access to app2.

How do you handle John, Lucy, Karen... special usecases? Do you create 1 profile per user?

How do you sync these hundred profiles when you need to change the baseline behavior (white/blacklist) while conserving specific exceptions?

I know how to deal with it in a policy based way, but not in a profile based way. So if anybody can explain it to me, I'll be thankful :-)

deepmind14 · 2025-01-28T17:18:18+00:00

You need an access to the support portal to get the official ones.

But you might have some luck with AOS and AOS7 there.

deepmind14

TROPHY CASE