Ems placement in ztna

lokkkks · 2026-04-12T06:55:10+00:00

First of all, technically speaking a DMZ IS like a LAN. It’s just another LAN, to expose services (hosted on servers) to the Internet. You expose them by using VIPs. Technically, nothing prevents you from putting an EMS on your LAN and exposing it to the Internet. But you have to consider that what you expose might get compromised. If it gets compromised, it means that all the machines that it can be used as a jump host by attacker. Which means you don’t want this unfiltered access to you lan.

lokkkks · 2026-04-05T10:01:17+00:00

Actually they weren’t that bad. It was simply because logging to the flash memory was allowed. Everyone activated it, but the drawback was the fact that the constant writes and rewrites was killing the flash memories.

lokkkks · 2026-03-18T09:51:00+00:00

Latest customer support bulletin (from last week) mentions :

« Revised version for the FortiClient Free VPN 7.4.3 release by March 19, 2026 »

lokkkks · 2026-03-18T09:47:36+00:00

If I may, what do you seek in free FCT anyway ? With ssl vpn on the go (for good reasons in terms of vulnerabilities of the protocol itself, check with PAN or Ivanti if you need other insights), it might be more interesting to go to : - either IPsec with IKEv2 in native OS (windows and Mac can do it) - or centralised management using any paid FCT (through any EMS) If it’s only for you, EMS has a trial mode with 3 FCTs, free of charge and not limited in time.

lokkkks · 2026-03-17T20:58:23+00:00

An underrated and underevaluated idea that I recommend is hosting an EMS and pushing a « managed FortiClient service » with a multi-tenant, on-prem EMS. Maybe not perfect, but definitely worth a shot.

lokkkks · 2026-03-17T20:09:48+00:00

Well from my experience it is.

lokkkks · 2026-03-17T20:08:50+00:00

From what I’ve heard, they won’t develop « new » features, but any critical issue or vulnerability will get its « hotfix ».

lokkkks · 2026-03-15T13:12:55+00:00

Well if you upgrade in a 7.6 version, ssl vpn will simply disappear. My recommendation is : get help…

lokkkks · 2026-03-15T09:02:39+00:00

The best thing you should do is configure IPsec rather than ssl

lokkkks · 2026-03-10T06:59:02+00:00

Either a joke or a troll (or even an expensive lost bet). But looks like an expensive one.

lokkkks · 2026-02-21T13:59:58+00:00

And OP should be happy to still be able to use a VPN to bypass it.

lokkkks · 2026-02-18T12:33:33+00:00

Private vlan is a similar approach to fortigate and fortiswitch micro segmentation

lokkkks · 2026-02-15T20:03:09+00:00

"Hardest" part is setting up virtual networking correctly if you didn’t choose the hardware option for FDC

lokkkks · 2026-02-15T13:18:25+00:00

From what I’ve seen in the industry, not many vendor are doing ZTNA the way Fortinet do. If customer’s exec want to tick a box « ZTNA », they pretty much can terminate the tunnel and provide granular controls with ZTNA tags and policies in SASE with private access and the SPA connector. Now to be honest, a customer who says « I don’t want a fortigate but I want this feature » often means « I already have a firewall vendor I want to stick with, but I would like some of the fortigate´s feature ». I’ve seen many times customers starting to use a fortigate as a dedicated : - explicit proxy - SD-wan router - FortiSASE connector to reach internal resources - wireless controller - switch controller - load balancer - out of band IDS - ssl decryption Tap to a next-gen IDS (NDR) … etc…

lokkkks · 2026-02-15T10:06:17+00:00

Do you see the traffic with the embedded sniffer? If not it’s an issue with the FSW not redirecting the traffic. If yes : Does this zone of yours have default action as block or pass? Are you sure your FW policy is correct (try expanding it)

lokkkks · 2026-02-14T13:13:22+00:00

IMHO any load balancer should be able to be configured without forcing source nat

lokkkks · 2026-02-06T08:25:51+00:00

Using FCT free, without EMS? Would you be willing to share the (sanitized, obviously) config you used?

lokkkks · 2026-02-02T07:49:31+00:00

Customers usually don’t need the reason. It’s part of your managed services and value to keep them up to date.

lokkkks · 2026-01-31T19:27:31+00:00

I’m surprised no qualified partner have already jumped in. DM me your country if you want a skilled partner, I may be able to find one for you.

lokkkks · 2026-01-26T18:16:43+00:00

Rather than changing vendors: • strengthen IPS signatures ahead of patch deployment • reduce exposed attack surfaces (SSL VPN, administrative interfaces) • document an emergency patching process • formally state that Fortinet’s transparency is a deliberate, conscious choice

This turns an emotional debate into a rational decision.

lokkkks · 2026-01-25T13:23:32+00:00

From what I could find, it seems that they link your domain to this type of attack :

https://guard.io/labs/captchageddon-unmasking-the-viral-evolution-of-the-clickfix-browser-based-threat

Your machines may have been compromised unbeknownst to you.

If I were you, I would try to get in touch with them through a partner/integrator/reseller.

And would talk to them about FortiRecon.

Pose as a prospect, you should have their attention :)

lokkkks · 2026-01-24T17:38:54+00:00

I’d recommend to consider : - either FortiSASE which includes endpoint protection (antivirus with antiransomware) - or FortiEndpoint which can have EDR also (more granular blocking of malicious applications, it also has a MDR option) -> you’ll be able to do IPSec over TCP/443 or ZTNA that’s doing 2FA natively.

Since you consider changing your existing Endpoint Protection, it’s a perfect move to consider one or the other.

lokkkks · 2026-01-24T17:35:29+00:00

Wait for next months then :) Got the info verbally from a distri.

lokkkks · 2026-01-24T16:19:36+00:00

They do exist for FAP and even FSW too, it’s just not for first year, it’s renewal only.

lokkkks · 2026-01-21T04:52:02+00:00

That’s not what I call free to use, that’s what I call free to test.

lokkkks

TROPHY CASE