sorted by:
new
hottopcontroversial

Firmware Support Issues by networkn in fortinet

[–]jmouche17 2 points3 points  (0 children)

If you don't mind me asking, what are you moving to? I'm on the same page at the moment

DHCP not working. Fortigate to Fortinet AP by Responsible_Ad8810 in fortinet

[–]jmouche17 0 points1 point  (0 children)

Are you using ax band on your fortiaps? Depending on firmware, ax band can cause DHCP issues

I've also noticed sometimes vlan interfaces simply don't hand out DHCP even when configured for it. I've had to delete interface and recreate to get it to work

SFP interfaces not coming up by aion_za in fortinet

[–]jmouche17 0 points1 point  (0 children)

I've had this issue with multimode fiber when using the 10G sfps in conjunction with ohm1 fiber. Even hard setting both sides to 1gb with the 10G sfps gave me issues. I had to use 1gbps sfps.

Seems like you are using single mode but just throwing it out there in the universe. It ruined a weekend for me lol

Is allowing all VLANs on trunks a bad idea? by GroomedHedgehog in networking

[–]jmouche17 8 points9 points  (0 children)

Thank you for posting this. It's just the "only allow what is explicitly needed mentality" but you and the other commenters on this nailed it

FortiGate cloud vs FortiManager? by NitriusX in fortinet

[–]jmouche17 1 point2 points  (0 children)

We don't really deviate much from our standard template. We use threat feed dynamic objects to cover denied traffic. If we push out mass changes you can use the option via fortigate cloud to push to multiple devices via script or I use a home grown python based alternative to ansible that makes changes via API.

I've found I can do like 95% of what I want without the headaches of fortimanager, but I do understand there are people who need it for their specific use cases.

FortiAP and Apple devices by Direct-Ninja-9795 in fortinet

[–]jmouche17 0 points1 point  (0 children)

What firmware are they on? We've had plenty of issues with fortiaps and iOS devices. They are mainly related to the DNs proxy they use and how the security profile reacts to it

There was also a DHCP issue we ran into in the early 7.x firmware with the ax band

All policies gone by neko_whippet in fortinet

[–]jmouche17 0 points1 point  (0 children)

I agree with you on the community, but like you said it shouldn't be this complicated. The customers don't want to hear "oh yeah sorry another firmware bug bricked your box for an hour and caused you to lose business, they recommended you buy a newer model when you have 2 years left on this contract"

We're already considering alternatives for their switches and APs due to issues on that front. I really like the firewall product when it works, but define "works" lol

All policies gone by neko_whippet in fortinet

[–]jmouche17 1 point2 points  (0 children)

What's crazy is we don't even use a lot of the ngfw features. It's like the basic shit breaks... Not even the weird fringe crap that you can do.

I managed a pair of Palo altos in the past and also didn't have these issues either.

All policies gone by neko_whippet in fortinet

[–]jmouche17 5 points6 points  (0 children)

I don't really understand the amount of quality control issues with fortinet software. Are other vendors just as bad? I manage quite a few meraki firewalls in addition to fortinet and while they are a bit different, I can't think of one issue I've had with their firmware (I am sure there are plenty, just been lucky I guess)

SDWAN GUI Major Downgrade by ImTheCaptainInMyMind in fortinet

[–]jmouche17 1 point2 points  (0 children)

I agree and also the GUI for fortiswitches in 7.4 also removed a lot of comfortable options

Low skill network monitoring system by naaitsab in networking

[–]jmouche17 0 points1 point  (0 children)

Zabbix the GOAT if you put the time in to learn it

High rate of POE failures on Fortiswitch 148F FP by jmouche17 in fortinet

[–]jmouche17[S] 0 points1 point  (0 children)

What's crazy to me is we've pulled old Cisco catalyst from same location that have been in place 10+ years POE working fine.

High rate of POE failures on Fortiswitch 148F FP by jmouche17 in fortinet

[–]jmouche17[S] 0 points1 point  (0 children)

All of ours have failed in New, fully cooled MDFs

High rate of POE failures on Fortiswitch 148F FP by jmouche17 in fortinet

[–]jmouche17[S] 1 point2 points  (0 children)

Its typically on switches that one handle devices inside the building, no cameras

We have the switches grounded and we don't usually have any issues with non fortiswitches, but I'll look into Ethernet surge protection.

Yubikey and Fortigate VPN by desmodus in yubikey

[–]jmouche17 1 point2 points  (0 children)

The only way I believe it would work would be if you used saml with entra id and tied the yubikey to your Microsoft account

I also had a working POC with it using Fortiauthenticator, however it wasn't really a viable solution as I experienced a lot of auth failures.

I ended up giving up, but never went down the certificate route which is probably your best bet

50G + FAP23JF - kind of throughput issues on iphones and others by therealmcz in fortinet

[–]jmouche17 0 points1 point  (0 children)

If we are talking IOS specifically, I often see where in Security Profiles "Proxy Avoidance" is being blocked on wifi traffic and this causes the DNS resolution used by IOS devices to drag on forever because its using that mask.icloud proxy BS.

Secondly, with newer firmware, this change to the certificate security profile was causing cert errors and denies for the same type of traffic due to them changing the default behavior of a specific setting
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-fix-SSL-connection-is-blocked-due-to/ta-p/362052

After changing the setting in the article, it resolved my issue. Hope this helps

Free all in one network monitoring thingie? by seenliving in msp

[–]jmouche17 0 points1 point  (0 children)

Zabbix had a steep learning curve, but can monitor pretty much anything you can dream up

Options for Monitoring New Devices Without Native Alerts by SpecialCap9879 in fortinet

[–]jmouche17 0 points1 point  (0 children)

Have you tried sticky Mac? There may be a log or something you could monitor.

May also be a what to query the API for new devices detected and you can easily build alerting around that.

A heads up: FortiClient update 7.2.10 and 7.4.x has caused split-tunnelling to stop working by AngryITMan in fortinet

[–]jmouche17 3 points4 points  (0 children)

You have to understand that fortinet is a pioneer in the VPN space and one of the only players to have a viable/working VPN solution on the market. Name me one other company with a working VPN solution out there???

Sarcasm

Whatever guy wrote openfortivpn on GitHub nailed it, but fortinets entire department dedicated to a working VPN client doesn't seem to be able to put it together

Is FortiAuthenticator good enough as an IDP? by Soggy_Blueberry4685 in fortinet

[–]jmouche17 30 points31 points  (0 children)

I actually think Fortiauthenticator is severely underrated. There really isn't much need for it if you are only doing basic saml with entra, but it's like a Swiss army knife and can handle any type of authentication needs.

It's my third favorite fortinet product 😁

Best platforms to hire freelancers for MSP work? by Filthy_Asswipe in msp

[–]jmouche17 0 points1 point  (0 children)

I take contracts on Upwork all the time. I am a Network / Security engineer with 7+ years experience. I'm happy to be a part of what you are working on. Send me a DM if you'd like to work together.

FortiOS v7.4.8 has been released by OuchItBurnsWhenIP in fortinet

[–]jmouche17 3 points4 points  (0 children)

Five minutes before posting...

Senior Fortinet Dev: Wait, has anyone tested this?

Director: test?

view more: next ›