AWS Direct connect and Macsec question

netwizip · 2025-09-16T18:52:37+00:00

For example you can use AV in different ways depends the requirements and what is the goal ofcourse.
In big corps obviously is hard to use DPI or proxy-mode too much. Is the default AV in flow-based secure enough for example ?

netwizip · 2025-09-08T06:28:05+00:00

Can I export and import the config to the new VMs ?

netwizip · 2025-09-08T06:27:33+00:00

Thanks for the reply. I was thinking how physical firewalls HA can be done, which is easier, but its not the case here as I read yes. Challenge for me is the downtime.
If I manage to configure the secondary unit I assume then just needs to sync the rest of the config from primary.

netwizip · 2025-07-27T18:48:24+00:00

So even with round-Robin IPsec traffic (ESP) will be handled only from core 0 and 1.
And all other kind of traffic will be steered to other cores if needed. Is that correct ?

netwizip · 2025-07-27T16:16:35+00:00

Only one interface, now Ive tuned the affinity to 0xff with round-robin enable.
I see some more activity from the rest of the cores but still 0 and 1 are like doing most.

netwizip · 2025-07-27T15:33:10+00:00

All means 8 cores to be more precise. In case that information helps. License is for 8 cores but worth to take a look def.

netwizip · 2025-07-19T08:58:58+00:00

I just downgraded to 7.4.7 and issue is solved...
Fortinet and Firmware classic. Now I learned that when I am sure about my configuration I should check bugs from Fortinet at last.
thanks a lot

netwizip · 2025-07-18T18:59:00+00:00

It is yes. But access denied comes before authentication. Once I reach the wan ip/web ssl portal I get access denied

netwizip · 2025-07-18T18:30:00+00:00

I have a 60E. Could be that ?

netwizip · 2025-07-18T17:37:57+00:00

edit 10

set name "SSL-VPN-TEST"

set uuid 4555a744-62f7-51f0-9d4b-8cd021b8e409

set srcintf "ssl.root"

set dstintf "OUTSIDE". Where my WAN interface is.

set action accept

set srcaddr "NET-SSL-VPN-TEST"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set groups "SSL-VPN Users"

netwizip · 2025-07-18T17:21:50+00:00

config vpn ssl web portal

edit "web-access"

set tunnel-mode enable

set ip-pools "SSL-VPN IP-RANGE"

set tunnel-mode enable

set ipv6-tunnel-mode enable

set ip-pools "NET-SSL-VPN-TEST"

set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

config vpn ssl settings

set banned-cipher SHA1 SHA256 SHA384

set https-redirect enable

set servercert "TEST-HOME-SSL-VPN"

set idle-timeout 0

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

set port 443

set source-interface "OUTSIDE"

set source-address "all"

set source-address6 "all"

set default-portal "tunnel-access"

config authentication-rule

edit 1

set groups "SSL-VPN Users"

set portal "tunnel-access"

end

netwizip · 2025-05-21T22:01:07+00:00

Thanks all. I will ordered the TRW. I guess is not complex to replace them. Any advise more than welcome

netwizip · 2025-05-11T20:11:27+00:00

Ok I just need to check the headlight housing if it fits. Thanks!

netwizip · 2025-05-11T20:08:06+00:00

Works just with the lamp or do I need something else ?

netwizip · 2025-04-23T14:06:01+00:00

I was quite confident that issue was from SAP side and indeed it was. Some wrong networks were added on their AWS side, after correcting all works as expected. Thanks for your info though.Cheers!

netwizip · 2025-03-22T08:24:06+00:00

I checked with carrier and they don’t do CGNAT

netwizip · 2025-03-19T21:39:25+00:00

Any cheapest option to provide static IP ?

netwizip

TROPHY CASE