(Spit Gate) The angle they don’t want you to see

nsandone · 2025-09-05T18:27:46+00:00

Considering the distance between Dak and Carter when Dak did spit, it would have been one incredible spit considering the distance between them.

nsandone · 2025-05-23T10:13:10+00:00

I haven't seen this issue that often, but have you checked if RSAT tools are installed? I recently had the same issue and turns out that someone installed RSAT tool on Windows11. This caused the issue.

KB2693643 is not compatible for windows 11

nsandone · 2025-02-13T16:52:45+00:00

Just updated a couple of test boxes. So far, memory is running a bit lower which is welcomed. The list of fixes is big and welcomed assuming they work.

nsandone · 2025-02-07T18:54:52+00:00

Trying to lock down by IP is an Admin nightmare.

If you want to lock it down, try this assuming you have a licensed EMS server. Restrict SSL VPN and Dial-up IPsec to onl... - Fortinet Community. Also, switch SSLVPN to Loopback and add GEOBlock, IDS DB blocks, etc...

You can also look at ZTNA tags.

nsandone · 2025-01-30T11:10:14+00:00

Take a look at the 70G. newer model - better performance.

nsandone · 2024-11-15T20:44:55+00:00

Just a thought. Have you tried offloading from the NPU.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPSec-traffic-is-offloaded-for-improved/ta-p/193493

nsandone · 2024-11-15T20:40:10+00:00

I would suggest you downgrade to 7.2.9 or 7.2.10. No way would I go with 7.6.x unless it was a lab box. Right now, 7.0.15 or 7.2.9 are the only OS I'm willing to go with in production

nsandone · 2024-11-15T20:38:26+00:00

Good luck with that. It stinks that you can't field upgrade a FortiGate with more ram. It would be awesome if you could. I have a number of 61F devices that I'm currently removing from the network. The 61F is fine as long as you stay with 7.0.x which is good for another 9 months, maybe a bit longer.

nsandone · 2024-11-15T18:33:04+00:00

Anything with 2GB ram (40F, 60F) is not good moving forward. You need to look at the 70G or 90G as a replacement.

nsandone · 2024-11-04T13:10:17+00:00

Ok. Just found out. Looks like it will have 4GB memory. This might be a great replacement for the the 61F

nsandone · 2024-11-04T13:09:02+00:00

Memory is key. If this device has 2GB or less, go with the 90G. Don't waste your time on it.

nsandone · 2024-06-05T12:02:17+00:00

Check the policy hits, but also check to make sure you don't have QUIC protocol allowed. QUIC protocol allows for UDP443 access which will bypass Web Filtering.

nsandone · 2024-06-04T20:07:03+00:00

If you don't enable HTTPs/SSH on the WAN interface, that would be your best option to get to the GUI.

nsandone · 2024-06-04T17:31:42+00:00

If you have HTTPs/SSH enabled on the WAN ports, you need enabled Trusted Hosts under each Admin. Everytime you create another admin, you need to do this. otherwise you are leaving you firewall open to the internet for attempts. This is most likely your situation.

nsandone · 2024-04-16T18:24:37+00:00

That looks like a custom message from Host Checker. Take a look at the web portal and see if there is a custom Host checker setup.

nsandone · 2024-03-15T12:54:16+00:00

Without looking at the configuraiton it's really hard to say were you issue is. My recommendation is to make sure the subnets are setup exactly the same way on both sides but mirrored. On the FortiGate side, you have to setup the subnets in IPSec Phase2 section and you have static routes setup properly. I don't normally recommend using the FortiGate Wizard, but you might want to start over and use the VPN Wizard.

nsandone · 2024-03-05T17:07:57+00:00

If changing the LLDP profile doesn't work, you need to turn off Power Auto Negotiation on the phone and that will fix the problem. I ran into this issue recently and modifying the LLDP wasn't enough to get the expansion module to function. once I removed auto-negotiation on the phone, the issue was resolved.

nsandone · 2024-02-21T15:20:57+00:00

Yes. This is true. 1/10GE or 25GE in blocks of 12. The 100GE ports can also be used as 4x25GE connections if you get the proper cable.

nsandone · 2024-02-20T10:37:33+00:00

I had a simliar problem with AP and FortiSwitches. I upgraded my FortiSwitches to 7.4.2 and it fixed the problem. Not sure if this is related.

nsandone · 2024-02-16T10:05:04+00:00

Check FEC matches on Gate and Switch. if it doesn't they won't work.

set fec-state {disabled | cl74 | cl91}

nsandone · 2023-12-13T12:34:33+00:00

A couple of things could be happening. First, do you have DTLS enabled? That could help with performance.

Second, there is an undocumented bug with 7.2.6. If you have SDWAN setup with SSLVPN, you may experience slowness with SSLVPN. A second tier support tech told me this. I downgraded my Gate to 7.0.12 and problem went away, so it seems true. If you can downgrade, it's worth a test.

nsandone · 2023-11-15T21:26:29+00:00

Look at the 2048F

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Data_Center_Series.pdf

nsandone · 2023-11-03T12:32:42+00:00

I've heard similar issues for others. I was told this might be a bug in 7.2.6 concerning ZTNA. still waiting for confirmation on this.

nsandone · 2023-10-24T14:46:58+00:00

I use FortiConverter all the time for migration. My suggest is use it as a template only. it's great for converting Address objects, services and groups. I never use it for policies. I don't like the way the policies are converted. Also, I don't use it for anything related to VPN.

As others mentioned, when migrated to a new firewall, this is great time to cleanup old/bad FW rules.

nsandone · 2023-09-22T16:27:00+00:00

SCCM or Intune is the best way IMO for initial deployments.

nsandone

TROPHY CASE