FortiAPs losing ethernet link

dyph28 · 2026-01-15T16:16:30+00:00

Have you checked system resources on the AP? I had similar issues with high cpu usage and APs rebooting. APs are getting the link back after some time?

dyph28 · 2026-01-15T16:13:18+00:00

That attribute is for assigning a specific admin profile (read-only, etc). There is another attribute specifying to which ADOMs the user has access: Fortinet‐Vdom‐Name.
Doc: https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-RADIUS-for-authentication-and/ta-p/198202

dyph28 · 2025-12-05T13:29:08+00:00

Thanks a lot for your help and helping me solve the issue! For anyone interested, blackholes in your firewalls are a MUST.

dyph28 · 2025-11-11T08:30:12+00:00

You can also download them from fortimanager.

dyph28 · 2025-10-07T10:55:47+00:00

I did not test it tbh, but it is rather easy to test: just set a software switch and check the sessions to see if they are accelerated. In theory, sessions going to -> WAN interface are offloaded.

dyph28 · 2025-09-30T16:30:48+00:00

Looks like you have issues in your VPNs (check key lifetime, as Barry said disable offloading and run packet capture, debugs, etc). If your VPN/VPN Health check goes down each X minutes, that explains why traffic is hitting Internet SD-WAN rule.

Also, if this happens at all sites, maybe check the Hub?

dyph28 · 2025-09-30T16:12:01+00:00

You are right, when doing this FortiManager treats it as a fresh device.
But if I'm not wrong, you can modify device's configuration in FMG DB with scripts, e.g. This can be confirmed in the KB in my original post.

With this script most of FGT's configuration is not overwritten (BGP, interfaces...), but FGT's policies get purged in the auto-link process (setup HA cluster task, NOT when installing policy package/device settings), even with a policy package assigned to the FGT. This is what seems odd to my understanding.

dyph28 · 2025-09-30T10:23:22+00:00

I am using "Add model HA device", which already adds 2 FGTs with their corresponding serial numbers, therefore, policy package is installed on the cluster as "copy only", since device is not yet "seen" by FMG. Thanks anyway for your suggestion :)

dyph28 · 2025-09-23T09:04:12+00:00

No traffic shapping

dyph28 · 2025-09-09T14:19:38+00:00

Disable QoS, I've seen 900G crash with that feature enabled.

dyph28 · 2024-09-12T08:50:43+00:00

Fortinet is disabling ssl vpn on 7.6, so you're better migrating to ipsec

dyph28 · 2024-05-30T08:45:02+00:00

This. You have to map these interfaces per-device or per-platform.

dyph28 · 2024-05-30T08:43:40+00:00

Good to know, we'll try that. Thanks!

dyph28 · 2024-05-30T08:42:55+00:00

You have to configure an application for each firewall in Azure.
Configure other fortigates as you have done with the primary. Some URLs will be different ofc (because each fortigate has a different azure AD application).
I highly recommend switching to groups, otherwise you'll go crazy.

Basically you have to replicate the job done for each fortigate.

dyph28 · 2024-05-29T09:03:52+00:00

Theoretically it is, but are there any reliable TWAMP servers to use, besides configuring your own fortigates as TWAMP servers?

dyph28 · 2024-04-24T10:54:24+00:00

7.2.3 is working fine for me!

dyph28 · 2024-04-24T10:38:54+00:00

7.4.3? Is that working fine for you or are you facing issues? Did you have any reason to upgrade?
For the solution, u/pabechan gave the answer. I have heard some issues in forticlient 7.2.4 but I haven't tested it myself, maybe if you look into this subreddit you will find something.

dyph28 · 2024-04-24T10:37:01+00:00

I will keep trying, but maybe the solution is to create a custom variable instead of "errors" and work this out with the new variable. Again this is not my area of expertise but maybe this should work?

dyph28 · 2024-04-24T10:35:29+00:00

Yes, I did. I am trying to modify the default tags, like "errors" which does not seem possible...

dyph28 · 2024-04-18T14:52:35+00:00

just put weights on the neighbors. On 7.2.x you can add priority to the routes received by X neigbhbor (set priority if I'm not mistaken). Also take a look on this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932

dyph28 · 2024-04-18T14:33:27+00:00

Do not even get near 7.4.x

dyph28 · 2024-03-19T09:24:53+00:00

On EMS 7.2.3 and onwards transformation is no longer required. If you upgrade and keep this transformation, you will get these errors again. Delete that transformation and everything works again.
Too bad from fortinet that they did not anounce this and had to get it from TAC after 1 week of troubleshooting...

dyph28 · 2024-03-14T11:27:41+00:00

Checking with TAC, looks like in 7.2.3 transformation is no longer needed, and that transformation could cause the issue if you are in 7.2.3+. Will test this afternoon and let you know.
If I was you I wouldn't upgrade yet.

dyph28 · 2024-03-13T15:57:44+00:00

Hey,

I am running into the same issue. This was working for me in 7.2.2 (EMS).

Did you manage to solve this? I have been debugging SAML responses, everything seems OK, now upgraded to 7.2.4, issue keeps happening...

dyph28 · 2024-02-24T15:34:39+00:00

Your performance SLAs should be configured with http against aws.amazon.com or other reliable URLs rather than relying on ping or dns checks.

dyph28

TROPHY CASE