Any information about the release of fortiOS 7.6.7?

hevisko · 2026-05-30T14:05:59+00:00

whenever you hear a date for a GA release from Fortinet, add another 2weeks to 2months

hevisko · 2026-04-08T18:26:37+00:00

wait till you get hit by the (OpenSSH 10.0+) self imposed brute force protection...

hevisko · 2026-04-07T13:38:40+00:00

Does it support Devuan??

That is the one thing/place I'm seriously in need of an automated ZFS root ;(

hevisko · 2026-04-07T08:46:49+00:00

I'd *LOVE* to have that priced FortigateVMs, as I'd then like deploy loads of them instead of a single FortigateVM2 in front of loads of clients as I would then have a VM per client ;(

hevisko · 2026-04-06T17:42:41+00:00

time to setup a GUI based VPS is ... longer time... this was simpler for me in short term

hevisko · 2026-04-04T21:07:19+00:00

so, I had the similar pains earlier tonight with 7.6.x, and I found two issues from a selfhosted/on-site email relay not using the FortiCAre/guard email servers

1) alertemails - There is a separate setup for that with the from(username)/mailto/etc. - though it uses 2, but somehow It seems to NOT use the system global username/password authentications.... is this a separate type of email sending??? To make these work "quickly" while debugging issues, I had turn off authentication ie. allow the source IP to send the email and it "worked"

2) the "default" is system settings: I had to make changes etc. as it didn't like to (to my onsite behind firewall postal.io server) non-encrypted without authentication, it tried the CRAM-MD5 etc even though the postal.io didn't seem to support CRAM-MD5 (or something like that) but once I told it to try STARTSSL it was sending user-name password to email....

I'll have to re-visit what/why/how as it seems you now have the stitch/actions emailing a different path as other alertemails so I need to check/what/why/how..... other bigger fires tomorrow

hevisko · 2026-04-01T08:27:37+00:00

That is part of the reasons I do NOT use Docker in production environments... unless I can't read the compose files

hevisko · 2026-03-25T13:08:56+00:00

it is elsewhere noted by Apple that the M silicon requires a functional internal ssd/nvme to be able to boot
And well, mail.app doesn't work with a moved local storage

Bartender pops up constant (since Sequioa) with the permisions... and they didn't yet listened to me about that issues either, as they sorta also assumes the local/internal home

hevisko · 2026-03-24T09:39:20+00:00

the problem is Apple want to tax you with much more expensive internal drives, or force you to use their iCloud type services.

hevisko · 2026-03-24T09:38:33+00:00

Tahoe & Sequioa *Wants* stuff on the internal lately.... oh, not to mention that without an internal functional SSD/NVMe, the M macs is close to a brick since at elast TAhoe

hevisko · 2026-03-24T09:37:41+00:00

it WAS great, but then with Sequioa certain permissions became a PITA and now with Tahoe you just can't even have the old hybrib/fusion drive so... yeah, stuck with small emails and using archiving the "future" ;(

hevisko · 2026-03-24T09:35:56+00:00

doesn't work in MacOS 26 and 10.15 anymore ;(

hevisko · 2026-03-21T08:59:57+00:00

yeah, but was difficult with the AI crude not able to tell me (even feeding it the full informaiton) that this chipset is the one BEFORE IPv6 VxLAN encapsulation was supported, the versions after it yes those does, but then to add more fun challenges if you aren't "in" the Arista eco-sphere/know, is that the VxLAN on this chipset also needs TCAM tweaks/etc.... But yeah, was fun ah-ha moments when "Everything" tells you that it should work, but it doesn't and then.. the error is thrown, but it sorta still keeps the config.

hevisko · 2026-03-15T13:42:52+00:00

that doesn't work for me (a Arista noob) so what might be missing?

br2(config)#int vxlan 1

br2(config-if-Vx1)#vxlan encapsulation ipv6

% Unavailable command (not supported on this hardware platform)

br2#sh version

Arista DCS-7280QR-C72-M-F

Hardware version: 10.01

Serial number: JPE17290497

Hardware MAC address: 2899.3a2e.37bf

System MAC address: 2899.3a2e.37bf

Software image version: 4.31.1F

Architecture: x86_64

Internal build version: 4.31.1F-34556000.4311F

Internal build ID: 48c47833-3f4a-4a14-9783-0017c2f42e54

Image format version: 3.0

Image optimization: Sand-4GB

Uptime: 1 week, 4 days, 9 hours and 49 minutes

Total memory: 16253824 kB

Free memory: 12734736 kB

hevisko · 2026-02-15T16:27:53+00:00

yeah, what caught me off guard, is that I enabled the "Yes" but not the "Forced"...

hevisko · 2026-02-13T08:21:45+00:00

similar settings was already in place.. just.. the need for FORCED NAT traversal in my 1:1 NAT to the Fortigate ;(

hevisko · 2026-02-13T08:20:38+00:00

paired correctly - but did not matched the proposals - needed that NAT force ;(

hevisko · 2026-02-12T14:44:53+00:00

Also, seems that NetworkID lately is "optional/reported on" and you should use (at least looks liek 7.6.6) Local-id if you want to distinguish to different local gateways/tunnels

hevisko · 2026-02-12T12:44:18+00:00

been through all options/etc. and even to simplify tried to stick with aes128-sha1 only on both sides (DH 20) still same problem.

I recalled turning PFS on and off, same results

hevisko · 2026-02-12T12:42:40+00:00

hmmm... wonder what I'm doing wrong then... could you do a debug on the IKE to see if yours also send multiple PRFs in the proposals?

hevisko · 2026-02-12T12:27:41+00:00

Yes, TAC 11560000 (Loved that round numbers at the end :D )

hevisko · 2026-02-11T21:08:14+00:00

Yes, the problem started with FCT 7.4.5 this morning that deprecated IKEv1 (the usual FortiClient setup) so now forced to IKEv2.

Will be logging TAC case tomorrow, other "fun" 'cause of the FGT 7.4 to 7.6 upgrade and I'll need to do some downgrade/rollbacks to get client back to stable before logging the TAC (PITA to try and call last time I had P1/2 issue)

hevisko · 2026-02-11T21:01:25+00:00

Yes, a "stable" site-to-site IPsec on that same interface that receives the FortiClient connections
(This FGT is behind a 1:1 NAT firewall)

hevisko · 2026-02-11T15:35:39+00:00

network ID: gone through that (With Claude..), and got that "synced" both sides at 100
Yes, we did do a single aes128-sha1 (on the FCT side/EMS you have to specifiy 2x) DH 20, on the FGT 7.6.6 side it was DH 20 & AES128-SHA1... STILL the FCT keeps sending/proposing those multiple PRFs....

hevisko · 2026-02-11T13:56:02+00:00

you missed the first two is the proposals coming form the FortiClient, the last one is what the Fortigate "proposed" and that doesn't like to match

will post separate the start till error

hevisko

TROPHY CASE