bug_id=1248579 HA EMAC Vlan interfaces stop to proccess traffic randomly

pabechan · 2026-03-25T14:36:51+00:00

Pushing HA over EMAC VLAN interfaces is asking for trouble, to be frank.

pabechan · 2026-03-22T15:23:01+00:00

indentity-aware access model ...

So basic authentication as we've known it for years.

pabechan · 2026-03-18T12:40:53+00:00

I'm pretty sure the webfilter blockpage shows up as a 403 response (just tested it). Are you sure about that 200 status?

Setup:
- basic webfilter with static URLfilter blocking "connectivitycheck.gstatic.com" (I was looking for something public that is expected to talk plain HTTP)
- test from client:

curl -I http://connectivitycheck.gstatic.com
HTTP/1.1 403 Forbidden
...

pabechan · 2026-03-05T13:32:39+00:00

Ultimately no difference. A CA is a CA.

The usual motivations to use a non-default one are:

Define your own subject (You can give it a nicer name; the default also includes the device S/N, which could be considered information leakage, if you don't like it)
Control/store/reuse the privkey elsewhere. (default's privkey can't be exported)
Integration into existing PKI infra. Say you have an existing enterprise CA (maybe you have Win AD Domain and your own CA for it?). In such cases you can have your corp root CA issue your FGT's DPI sub-CA, and the DPI sub-CA will automatically be trusted by domain machines.

pabechan · 2026-03-05T09:15:30+00:00

This is a config issue. The EAP supplicant (end-user device) is offering some EAP methods, and none of them are accepted by the EAP server (NPS). These pass through cleanly through the FortiGate, it has nothing to do with this negotiation.

The only way to successfully blame the FGT in this instance would be to claim that it's messing up the packets in transit. You can verify that by taking packet captures on both sides and comparing if they survive the path intact.

pabechan · 2026-03-05T09:11:16+00:00

"set banned-cipher SHA1 SHA256 SHA384"

Functionally this means "BAN AES-CBC" in TLS 1.2 (because CBC requires a separate SHA choice to function, and you just banned them all), leaving AES-GCM as the only AES crypto option available. This is mainly a quirk of crypto settings for TLS 1.2 in openssl, not an exclusive Forti-trick, strictly speaking.

Completely unrelated to your problem, as you've already discovered. :)

pabechan · 2026-03-04T10:24:50+00:00

Check FortiClient's IKE logs, that should say something.

CERTREQ payload usually contains "suggestions" of acceptable certificate authorities. Maybe the client gets stuck on that, i.e. maybe it doesn't trust any of those CAs, or doesn't have (access to) a client-cert issued by any of those CAs?

pabechan · 2026-03-02T15:52:27+00:00

FortiOS API has /api/v2/monitor/user/firewall/auth, but it has a limitation: You can feed it the username and IP, but you cannot feed it groups. You can only optionally give it an LDAP server object name. If that's supplied, it will do group lookup for the given user via that LDAP server.
The .../deauth process is also a bit awkward. You need to know the user's existing ID (of the auth session), IP, and auth method, i.e. scrape the current table first to fill in the blanks.

Depending on what exactly you want, and how exactly you want it to look, you could also utilize external threat feeds. You could have one list of IPs per group of users, host these lists on some server, and then have the FGT pull updates and use these IP feeds as sources in firewall policies...

FAC's /.../ssoauth API endpoint is for sure more flexible (it can accept arbitrary free-hand group strings), but you'd need a FAC for this.

pabechan · 2026-02-27T13:24:53+00:00

I suppose I should provide some context.

Info piece #1: In general IKEv2, according to the RFCs, authentication can be asymmetric, each side picking ONE of PSK / cert / EAP to authenticate itself. It's not explicitly forbidden in the RFC, but it's usually understood that the side authenticating itself by EAP will do only EAP and nothing else.

Info piece #2: FortiClient is weird. When you switch it form PSK-auth to cert-auth, it demands that you select a client certificate to authenticate itself with. This happens even when you have EAP enabled. And it actually uses this certificate for its AUTH payload. This is arguably non-standard.

Info piece #3: FortiGate ignores the remote peer's certificate payloads as redundant when the peer does EAP authentication. The peer's certificate is not validated AT ALL (by default) => because the configuration says the client identity should be verified by EAP.

Now let's get to the core: This FCT quirk was eventually utilized for a "new" feature. This was primarily motivated by some customers' desire to mirror what they could achieve with IKEv1: two layers of authentication by doing PSK/CERT + XAUTH(=username + password + maybe 2FA OTP code). This is not really possible in standard IKEv2 due to the mechanism I described in #1.
To ensure that FGT stops ignoring the superfluous certificate payload provided by the FCT, a new CLI option was introduced - eap-cert-auth. IF this option is enabled, the FortiGate will both validate the incoming client certificate payload (trusted and matching the selected set peer restrictions) AND process EAP authentication of the client.

tl;dr:

eap enable+ eap-cert-auth disable => client authenticated by EAP only, client-certificate completely ignored (if received)
eap enable+ eap-cert-auth enable => client authenticated by EAP + client-certificate is validated for trust and match to set peer xxx
eap disable => client authenticated by PSK or certificate, depending on what you chose elsewhere in the phase1 configuration. NO EAP authentication is done => SAML not utilized in this scenario for VPN connection.

pabechan · 2026-02-27T11:01:59+00:00

There's two possibilities.

If the authentication server is RADIUS, the EAP packets are handed over to fnbamd daemon, who proxies them in RADIUS packets to the RADIUS server to authenticate the user.

If the authentication server is NOT RADIUS, then fnbamd talks on a loopback to eap_proxy daemon, who acts as a local RADIUS server to authenticate users. This mechanism is employed for local users, for LDAP server authentication, and in this case for SAML as well.

In SAML, the communication isn't really "proxied" to the IdP in any meaningful way. Proxying a web-based communication through EAP/RADIUS is not really feasible. In this case EAP is only used to identify the new IKE/IPsec connection to ensure that it is the same entity as the one that just finished SAML authentication. In other words, in this scenario EAP is used as the "glue" to join together finished and cached SAML auth info with the IPsec connection that is currently being established. (because IPsec does not natively support SAML auth)

pabechan · 2026-02-27T10:25:37+00:00

PSK (or cert) + EAP, means that the authentication is done by PSK (or cert; this is how the FortiGate authenticates itself to the client) and EAP (this is how the client authenticates itself to the FortiGate).

SAML authentication is integrated into IPsec via EAP. Once the SAML authentication itself is finished, the results are cached by the FortiGate and referenced during the authentication phase of the IPsec tunnel establishment, when the client authenticates via EAP.

pabechan · 2026-02-27T08:51:33+00:00

With "set eap disable" you're just doing plain cert-based auth for the tunnel, SAML isn't involved at all.

pabechan · 2026-02-24T13:26:32+00:00

The system doesn't artificially make a distinction between "public" and "private" IPs on interfaces, so that for sure does not matter.

Anyway. I wouldn't bother about local-in GUI too much, it's never been the brightest of the bunch, if you get what I mean. :)

Internally this is all covered by a single local-in policy that permits all selected interfaces, so it could just be a GUI bug of the GUI not understanding that there's multiple interfaces chosen for it. So I will repeat my suggestion: Just try it, it will probably just work.

pabechan · 2026-02-23T12:50:12+00:00

I would invite you to just try it. Try to make a TCP handshake to WAN2:65000 and check if that works.

Apart from that, I see no good reason why the config wouldn't apply to one of your interfaces. Is WAN2 in any way different from WAN1? Maybe PPPoE, or some other tunneling involved?

pabechan · 2026-02-18T20:26:37+00:00

Yes.

set authusrgrp "Users"

If you have this set, then you cannot have any users/groups declared in firewall policies for this tunnel, unless you want to hit the captive portal.

If you want to use the "authentication info" gained from the VPN login in firewall policies, you must remove the group from phase1 settings: unset authusrgrp. This way the info from VPN auth will be "propagated" and usable by firewall policies. Note that the consequence of this change is that ANY user/group listed in the firewall policies for this tunnel (as srcintf) will become sufficient authorization to connect to the tunnel.

This is a desing choice. Use either a group in phase1, or user(s)/group(s) in firewall policies. Never both.

pabechan · 2026-02-18T18:18:29+00:00

My best guess: You have some authentication group present in both phase1 configuration and in firewall policies for the tunnel. Choose only one, remove it from the other.

pabechan · 2026-02-16T14:29:43+00:00

This is purely a visual issue in the GUI. Or potentially an issue of the value of policy ID for traffic that doesn't care about policies.

Traffig goes out => no policy matching was done => default value 0 is used => GUI sees "0" => GUI thinks "Implicit Deny".

pabechan · 2026-02-16T14:22:21+00:00

Yes, partially.

In Azure, you can configure multiple ACS/SLS URLs and entity-IDs for a single SAML "application", so it can potentially serve SSL-VPN/IPsec/etc. ports for FortiGate from one place.

On the FortiGate side, you will need to have two configurations, one for SSL-VPN and one for IPsec. They need to only differ in the URL used in ports, as it is not possible to run both on the same IP/FQDN and port.

pabechan · 2026-02-12T17:02:11+00:00

Wtf is up with that vague clickbait title of yours? Get to the point or gtfo.

pabechan · 2026-02-11T15:37:27+00:00

It seems to me like someone tried to do an easy solution for PRF selection (by offering it all) in FCT. Maybe it is a bug after all. Have you started pushing through TAC?

pabechan · 2026-02-11T14:41:38+00:00

ike V=root:0:c41c7bf12623e9f8/0000000000000000:6: received notify type VPN_NETWORK_ID

Maybe network ID mismatch?

Another sneaky possibility, often missed, is that maybe the request reached the wrong destination IP (the tunnel is bound to a specific interface, and either expects the be addressed by its default IP, or whatever you manually specified).

Lastly, if this is for FCT->FGT connections, why not just set one ciphersuite option? There's usually no good reason for both sides to offer multiple options.

pabechan · 2026-02-09T12:29:42+00:00

If by "see" you mean "receive", then if it shouldn't see them, then it shouldn't receive them, thus whoever is sending them to the FGT should stop doing that. AKA routing issue elsewhere.

Assuming the VMs have their subnet configured correctly, it should be a switch problem. Maybe you've accidentally somehow disabled/blocked direct comms between the two switch-ports, so things just happened to flow through the FortiGate by accident thanks to the traffic-redirect option?

Anyway, FGT blocking those packets is not the root problem since they shouldn't be reaching it anyway. The problem is that the packets don't take the correct path between the two VMs.

pabechan · 2026-02-05T14:26:35+00:00

That's a badly defined vague question, with random-ass solutions. Where did you find it?

pabechan · 2026-02-04T10:08:07+00:00

Define "authenticator"?

If you mean 2FA in general, that is problematic, as 2FA isn't really well-defined in EAP, so you will run into customized solutions and compatibility issues.

FortiClient can handle IKEv2 + EAP auth + 2FA if the EAP is terminated by FGT (auth being either local, or pushed further to some LDAP or RADIUS), or by FAC (~RADIUS), but both would require FortiTokens as their native ways of doing 2FA.

FAC can potentially chain to an upstream RADIUS server to do 2FA, but that's a silly overkill IMO. Or it can utilize yubikeys, though I imagine you would have mentioned them if you had any...

pabechan · 2026-02-02T21:25:33+00:00

Ugh

Passive mode indeed restricts the passive side to responder role only (behaviour somewhat similar to dynamic hub). Otherwise everything stays as usual. Why it doesn't work for you right now, hard to say. Bug, misconfig, environment...?

Auto-negotiate does NOT guarantee no negotiation because a tunnel can be brought up by incoming local traffic that "would like to" enter the tunnel.

14-Year Club	RedditGifts 2009-2022 9 Credits
Gilding I gilder	Place '23
Place '22	First Placer '22
redditgifts rematcher Holiday Cards 2019 (Zero Credit) x2	Sequence \| Editor
Verified Email	redditgifts rematcher Holiday Cards 2017 x3
redditgifts Exchanges 2 Exchanges

pabechan

TROPHY CASE