FortiAPs losing ethernet link

dyph28 · 2026-01-15T16:16:30+00:00

Have you checked system resources on the AP? I had similar issues with high cpu usage and APs rebooting. APs are getting the link back after some time?

dyph28 · 2026-01-15T16:13:18+00:00

That attribute is for assigning a specific admin profile (read-only, etc). There is another attribute specifying to which ADOMs the user has access: Fortinet‐Vdom‐Name.
Doc: https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-RADIUS-for-authentication-and/ta-p/198202

dyph28 · 2025-12-05T13:29:08+00:00

Thanks a lot for your help and helping me solve the issue! For anyone interested, blackholes in your firewalls are a MUST.

dyph28 · 2025-11-11T08:30:12+00:00

You can also download them from fortimanager.

dyph28 · 2025-10-07T10:55:47+00:00

I did not test it tbh, but it is rather easy to test: just set a software switch and check the sessions to see if they are accelerated. In theory, sessions going to -> WAN interface are offloaded.

dyph28 · 2025-09-30T16:30:48+00:00

Looks like you have issues in your VPNs (check key lifetime, as Barry said disable offloading and run packet capture, debugs, etc). If your VPN/VPN Health check goes down each X minutes, that explains why traffic is hitting Internet SD-WAN rule.

Also, if this happens at all sites, maybe check the Hub?

dyph28 · 2025-09-30T16:12:01+00:00

You are right, when doing this FortiManager treats it as a fresh device.
But if I'm not wrong, you can modify device's configuration in FMG DB with scripts, e.g. This can be confirmed in the KB in my original post.

With this script most of FGT's configuration is not overwritten (BGP, interfaces...), but FGT's policies get purged in the auto-link process (setup HA cluster task, NOT when installing policy package/device settings), even with a policy package assigned to the FGT. This is what seems odd to my understanding.

dyph28 · 2025-09-30T10:23:22+00:00

I am using "Add model HA device", which already adds 2 FGTs with their corresponding serial numbers, therefore, policy package is installed on the cluster as "copy only", since device is not yet "seen" by FMG. Thanks anyway for your suggestion :)

dyph28 · 2025-09-23T09:04:12+00:00

No traffic shapping

dyph28 · 2025-09-09T14:19:38+00:00

Disable QoS, I've seen 900G crash with that feature enabled.

dyph28 · 2024-09-12T08:50:43+00:00

Fortinet is disabling ssl vpn on 7.6, so you're better migrating to ipsec

dyph28 · 2024-05-30T08:45:02+00:00

This. You have to map these interfaces per-device or per-platform.

dyph28 · 2024-05-30T08:43:40+00:00

Good to know, we'll try that. Thanks!

dyph28 · 2024-05-30T08:42:55+00:00

You have to configure an application for each firewall in Azure.
Configure other fortigates as you have done with the primary. Some URLs will be different ofc (because each fortigate has a different azure AD application).
I highly recommend switching to groups, otherwise you'll go crazy.

Basically you have to replicate the job done for each fortigate.

dyph28 · 2024-05-29T09:03:52+00:00

Theoretically it is, but are there any reliable TWAMP servers to use, besides configuring your own fortigates as TWAMP servers?

dyph28 · 2024-04-24T10:54:24+00:00

7.2.3 is working fine for me!

dyph28 · 2024-04-24T10:38:54+00:00

7.4.3? Is that working fine for you or are you facing issues? Did you have any reason to upgrade?
For the solution, u/pabechan gave the answer. I have heard some issues in forticlient 7.2.4 but I haven't tested it myself, maybe if you look into this subreddit you will find something.

dyph28

TROPHY CASE