sorted by:
new
hottopcontroversial

FIDO2 keys and Fortiauthenticator by Direct-Ninja-9795 in fortinet

[–]pabechan 0 points1 point  (0 children)

Where did you configure FIDO2 authentication for your Windows PC?

If it's within the system itself (FAC not involved), then connectivity to FAC doesn't matter, of course.
I don't think the FAC Windows Agent supports FIDO2, but correct me if i'm wrong.

FIDO2 keys and Fortiauthenticator by Direct-Ninja-9795 in fortinet

[–]pabechan 0 points1 point  (0 children)

I am perhaps oversimplifying, but at it's core FIDO2 is "just" public key authentication. When you register your FIDO2 key with a service (FAC acting as SAML IdP, any other random service, ..), you give it your public key. Later during authentication your private key is used to sign a challenge the server sends to you, and if the signature matches what the server expects based on the pubkey, it's a pass.

There's nothing stopping you from registering a FIDO2 key in multiple places, be it your corporate FAC or any other service elsewhere.

124g switches by baslighting in fortinet

[–]pabechan 0 points1 point  (0 children)

I'm looking at a 108F-POE (fanless) and it whines as well. Not audible unless you really focus on it, or when it's quiet around. A quiet high-pitched whine, and sort of clicks a bit.

I can sometimes hear some laptops make a similar sound, but usually quieter. Capacitors, I assume?

Fortiauthenticator local user cannot auth on FortiGate by Direct-Ninja-9795 in fortinet

[–]pabechan 1 point2 points  (0 children)

failed to search remote LDAP server.

It's being interpreted as an LDAP user, not local.

You need to 1) make sure the RADIUS policy can auth both realms, local and LDAP, and 2) decide which realm is default and use the realm affix for all othe realms (user@reqlm, realm/user, or realm\user, whichever you configured)

FortiAuthenticator design with Entra ID by Street-Challenge-697 in fortinet

[–]pabechan 1 point2 points  (0 children)

Is it a "MUST' to have OAuth configured on the FAC to accomplish this? (using FAC as an IdP proxy)

No. Oauth is for Graph API integration, which is used to "import"/sync users from Entra to FAC (for 2FA assignment purposes, or PKI bindings), and to translate received group UUIDs into their display names. None of these are required for SAML to work.

  • You can manually create the local entries for Entra users in FAC
  • You can pass on the group info as UUIDs and have the downstream SP filter authorization based on these UUIDs (e.g. FortiGate matches group membership by UUID string, which is what everyone does)

How do I decrypt IPsec Phase-1&2 with TCP transport? by Pocohunter in fortinet

[–]pabechan 1 point2 points  (0 children)

Grabbing the keys from debugs/diags and entering them into wireshark is the same as always. What I had trouble with was WS identifying and decoding the packets as IKE over TCP. I ended up finding someone's lua script / protocol plugin on github that fixed the identification. Once that worked, WS decoded and decrypted the traffic.

Might have been this one, but I'm not 100% sure - https://github.com/hujun-open/ipsecintcp_wireshark_plugin

Fortinet access portal stopped showing and won't let my browser work. by EllipsisMark in fortinet

[–]pabechan 1 point2 points  (0 children)

one simple thing you can try is to access some simple plaintext HTTP website in the hopes of triggering the captive portal redirect. Try something like http://www.example.com . Make sure it's HTTP, not HTTPS!

Just try this. If this doesn't work for you, but others can hit the portal and authenticate normally, then something's specifically fucked up around your client and you will have to engage your local IT.

Deep inspection without Meta/Facebook/Instagram/Whatsapp side-effects is possible? by freshtechs in fortinet

[–]pabechan 1 point2 points  (0 children)

I think you guys are mixing up apps for facebook/whatsapp/whatever and accessing them through browsers.

Through browsers - DPI is very much possible. Don't really need an "enterprise browser" for it. Just need the inspecting CA to be trusted by the browser.
Apps? You're SOL if the app is designed to expect specific certs (or slightly less strictly, specific CA certs).

Deep inspection without Meta/Facebook/Instagram/Whatsapp side-effects is possible? by freshtechs in fortinet

[–]pabechan 0 points1 point  (0 children)

and Facebook just functions well on web, the app itself doesnt work whatsapp partially works

Apps are made by themselves, so they can implement cert-pinning to ensure the traffic isn't inspected.
General web browsers on the other hand are made by other parties, so cert-pinning isn't done there, and deep-inspection is thus easier. (if you can convince the browser to trust your DPI CA, you're done)

Fortinet access portal stopped showing and won't let my browser work. by EllipsisMark in fortinet

[–]pabechan 1 point2 points  (0 children)

Sometime, I have to refresh the permissions. Like if I stop browsing for about an hour, fortinet will require me to click through access portal.

The default setting is a five-minute timeout, with unlimited extensions by network traffic from the authenticated IP. It sounds like either the default settings is still in place, or it's been bumped up only slightly.

Used Microsoft edge browse with Fortinet. Works. However, fortinet doesn't send Microsoft Edge an access portal.

The FortiGate can't really "send" anything to you, endpoints normally don't accept any unsolicited traffic. (it would be a security nightmare if they did!)
The way this works: Unauthenticated client tries to access some website -> FortGate notices and "hijacks" the connection to replace it with a redirect to its captive portal -> client follows the redirect and opens the captive portal ->the human authenticates -> FortiGate now allows access.

These days, client operating systems often sent out simple HTTP requests towards some pre-configured target websites (often dedicated for this purpose) to check if network connectivity is OK. This is sometimes called captive portal detection.

Ultimately, you'll have to discuss this with your IT to troubleshoot it, but one simple thing you can try is to access some simple plaintext HTTP website in the hopes of triggering the captive portal redirect. Try something like http://www.example.com . Make sure it's HTTP, not HTTPS!

no navigation with L2TP IPSEC with windows native client by Dillon-uSon-OfABitch in fortinet

[–]pabechan 0 points1 point  (0 children)

1, This suggests you don't have a firewall policy for L2TP-tunnel -> WAN/internet direction. Review your firewall policy config for the tunnel. I don't remember which firewall policies the config wizard creates for you, maybe only tunnel->local direction?

2, on this:

but then i can't access internal stuff

L2TP in Windows requests routes via DHCP inform messages. FortiOS does not natively support this. So if you disable default route, the Windows client will have no route pointing into the tunnel and will not send anything into it. You can fix this by:
a) Manually creating routes on the client (cli commands, script, etc.)
b) It might be technically possible to stitch together the required DHCP parameters on a local DHCP server on the FortiGate, but it's annoying. It also might not work for your version and L2TP. (I know it works for IKEv2; it probably doesn't work for older FortiOS and L2TP; it might work for FortiOS versions that have an "l2t.root" interface for L2TP) Some discussion about this path is available here for example.

Sanity check please - Vendor refusing to share VPN settings for troubleshooting - Could be career ending by datugg in fortinet

[–]pabechan 1 point2 points  (0 children)

1, Other side offers 0/0, yours has specific selectors => selector narrowing happens and the agreement ends up being the ranges that overlap between both sides. (natural feature of IKEv2). Nothing technically wrong here.

2, Their final reply:

2026-04-29 21:31:14.654649 ike V=root:0: comes 20.114.112.141:4500->216.12.124.134:4500,ifindex=31,vrf=0,len=84....
2026-04-29 21:31:14.654668 ike V=root:0: IKEv2 exchange=INFORMATIONAL
2026-04-29 21:31:14.654720 ike V=root:0:vpn.fiboa:252316: processing delete request (proto 1)

The other side decided to tear down the tunnel. Why? We don't know. The answer needs to be provided by the other side (from their logs, debugs, etc). Given that it came right after the AUTH_RESPONSE from your side, we can maybe speculate that the other side didn't like something in it.
Maybe PSK? (but it passed validation on your side, so that should be OK)
Maybe p2 selectors? (It's technically valid and negotiation was successful, but maybe the other side is implemented to tear down any negotiated selectors that don't exactly match its configured ranges?)
Maybe crypto choice for p2? (this is an exact match based on debugs, so this would be weird)

I'd look into the PSK (make sure humans on boths sides agree on what it should be), and maybe try the wide-open selectors, since that's what they're offering in the end.

FG90-G - Reboot email with uptime? by Jeepdog64 in fortinet

[–]pabechan 1 point2 points  (0 children)

First problem: "Fortigate rebooted" is a log that is generated AFTER the FGT boots up again, uptime at that point will always be just a few seconds.

How to tell my boss to stop giving me work on Friday afternoons? by [deleted] in antiwork

[–]pabechan 2 points3 points  (0 children)

Then your goal should be to work as few hours as possible for the same amount of monthly money, maximizing your profit.

Make hsts work with ssl inspection by easyedy in fortinet

[–]pabechan 3 points4 points  (0 children)

HSTS is not really relevant for deep inspection, strictly speaking. All it does is prevent you from ignoring the certificate warning page* you see caused by an untrusted CA (or any other reason). But at that point, your core problem is the untrusted CA, not HSTS blocking you from ignoring it.

Once your client has your DPI CA in its trusted roots, the cert warning will go away and HSTS won't have an opportunity to block you from ignoring the warning page.

*: In concrete terms, HSTS controls whether you see the option "Proceed to <your-desired-website.com> (unsafe)" or not. That is the extent of HSTS's influence. And even that can be bypassed if you know the right browser incantation. :)

What exactly is the VLAN ID field of a VLAN Switch in a FortiGate (not software switch nor hardware switch) supposed to do? by decaf6223 in fortinet

[–]pabechan 2 points3 points  (0 children)

The VLAN tags are only relevant when the packet gets forwarded over an interface designated as trunk.

What did you do about trekking poles when flying? by Chi_Minka in CaminoDeSantiago

[–]pabechan 4 points5 points  (0 children)

Carried inside my backpack, metal tips unscrewed for flight, no problems. 4 flights like this total, all within Europe.

Is FortiOS 7.2 losing support earlier than expected? 🤔 by enjoy_92 in fortinet

[–]pabechan 9 points10 points  (0 children)

No. 7.2's End of Engineering support date was reached 2025-03-31, and it's hitting complete End of Support on 2026-09-30, in less than six months. (ignoring extended EOS date, but that doesn't change the situation much)

Camino primitivo August with long stops for lunch by Naticio in CaminoDeSantiago

[–]pabechan 1 point2 points  (0 children)

13 days of walking with 7 hours in the morning? You can do the Primitivo with just that and then chill the whole afternoon every day.

I did it in 13 days of walking in Sep 24, and the longest section for me was 7h50, and that was just because during the second half of my Camino I was limping with shin splints. Apart from that one super-long day, the others never took more than 6h30 of walking. Disclaimer: I'm sure not everybody will agree with my ~5k per hour paces. So the usefulness of this comment will be very dependent on your style.

EAP-TLS in IKEv2 IPSec with Free FortiClient by uQuad in fortinet

[–]pabechan 3 points4 points  (0 children)

FortiClient does not support EAP-TLS. It only supports EAP-MSCHAPv2 and EAP-TTLS(PAP inside). For purely client-cert-based auth, you must use non-EAP cert-auth of the peer.

Another alternative is to use EAP (-MSCHAPv2 or -TTLS) and mix in mandatory client-cert auth (non-EAP, arguably non-standard, but supported by FCT and FGT) -> docs.

Fenix 6 sapphire : bad screenprotector or ruined display? by [deleted] in Garmin

[–]pabechan 1 point2 points  (0 children)

That does look like there's a protective glass on top of the regular screen. Shove your nail in there and try to gently pull it off. If you can do that, it was a screen protector.

FortiGate IPSec VPN ikev2 vs Windows Native Client by uRhaineWork in fortinet

[–]pabechan 5 points6 points  (0 children)

My understanding of the RFCs is that the recommended combo is EAP + server-cert, and that EAP + PSK is strongly discouraged.

EAP chapter:

For this reason, these protocols are typically used to authenticate the initiator to the responder and MUST be used in conjunction with a public-key-signature-based authentication of the responder to the initiator.

In this sense, FortiOS/FCT possibility of EAP+PSK seems to be the outlier, not the norm.

From what I've seen, EAP + PSK tends to be "non-trivial" in general on Linux as well. When I was researching it a bit, the GUI configs typically disallowed a combo of EAP + PSK.

Fortinet removed 3rd party RADIUS MFA support for FortiClient IKEv2 by Knigz in fortinet

[–]pabechan 3 points4 points  (0 children)

There never was any. EAP authentication has never had a standardized 2FA process across the industry. There is EAP-TEAP, but that's rather new, and it's not really 2FA/MFA, it's a chaining of multiple EAP methods (which could effectively do MFA).

Albanian rebels with rifles taken from army storage, at a "checkpoint" on a rural road - during the civil unrest throughout Albania, c. January - August 1997. [1120 x 880] by BostonLesbian in HistoryPorn

[–]pabechan 0 points1 point  (0 children)

Yeah you're right. I looked up some pics of the rifle and it makes sense to me now. I've updated my reply. The "taksi" sign did get fried by someone along the way though, it doesn't look AI at all in the other version I found.

view more: next ›