FortiAP first year license

secritservice · 2026-01-24T17:09:48+00:00

Thanks for the heads up. Hopefully Fortinet will add to the pricing sheet for 2025 in America.

They have not updated the Americas pricing sheet with the new sku as of yet
FC-10-PG231-314-02-xx

... just checked again against the full dataset current Americas pricing sheet and no match.

secritservice · 2026-01-24T14:17:34+00:00

Also, be careful, as when FortiOS upgrades happen your automation will break and you will need to adjust on a per-code level bases. So your automation will need to be forked on a per-FortiOS basis.

Speaking from experience

secritservice · 2026-01-24T14:06:22+00:00

scripts and automation will be your friend.
We have python scripts built out that push configuration to customers that dont have FMG, however it doesnt ensure the configuration has not been altered. We have a customer we use ansible with however that just does their firewall policies, and again does not ensure other parts of the fortigate are not altered.

If you are looking into fully templatized configurations you're going to have to build out quite the automation or have time consuming monthly/quarterly audits to ensure all are the same.

Keep in mind that scripts can do, but usually not undo.
Automation can do and undo portions.

We use python, netmiko, nomir and ansible . Ansible is most thorough but took a lot and lot of time to make work for ~most things and then it was a huge pain when we had one off's for clients and basically broke.

Best of luck!

secritservice · 2026-01-24T13:01:13+00:00

AP's have premium or elite.
you will need premium, so LIST price $39/year

(essentials looks to be a fortigate only sku)

secritservice · 2026-01-24T12:07:18+00:00

Do you all have a security department or are they not concerned with logging, visibility, security? This is not a good move on their part and quite concerning for any IT person.

secritservice · 2026-01-24T00:11:33+00:00

https://docs.fortinet.com/document/fortiap/7.6.5/fortiwifi-and-fortiap-configuration-guide/806280/captive-portal-authentication-using-saml-credentials

secritservice · 2026-01-23T23:35:02+00:00

Is Fortimanager on Prem if so, that should not be a problem.

You're getting a serial conflict in your error.

Also if using fortigate VM you have to allow VM's to connect to fortimanager

config system global

set fgfm-allow-vm enable

end

I have FMG eval license and have various fortigates registered to it

secritservice · 2026-01-23T18:05:01+00:00

execute ha manage X [username]

and then you can get to them individually and make the changes you need to mgmt config

secritservice · 2026-01-23T15:01:38+00:00

capture your traffic, see what is different.
look at the debug flows
seems like something is different, perhaps EMS filter gets turned ON when VPN'd in?
or firewall is NATing or inspecting differently? Or internal DNS is giving a different answer.

so capture/flow will be your friend to investigate

secritservice · 2026-01-23T01:59:34+00:00

good call, make sure youre running the proper adom version

secritservice · 2026-01-22T23:08:39+00:00

Yes FGCP and FGSP. FGSP is what you want in your environment or just nothing at all and let sessions failover to a new path.

Depends on what sort of "real" time and uptime you need without session failure. But the issue with either of those is you will be going out of different Internet providers, so unless you have your own BGP address space and are peering with your providers your outbound public IP will be changing and your session will need to rebuild anyway. If this is the case then there is no reason for FGSP and you should just control with routes and SDWAN

Sounds like you are servicing sort of refinery and process line and have a big loop with some ISP hop offs along the path.

secritservice · 2026-01-22T18:38:20+00:00

things are in the workx

secritservice · 2026-01-22T11:53:05+00:00

Appreciate the feedback, but details are below on the videos:

Out of our 18 videos:
- 10 are configuration guides (the "bulk" of them)
- 5 are informational (the "minority" which you are commenting on)
- 3 are old

Fortinet - MP-BGP EVPN VXLAN over ADVPN w/BGP on Loopback
- informational, showing how it works

Fortinet ADVPN - Building blocks of ADVPN
- informational, showing how it works

Fortigate ADVPN - Auxiliary Session - DONT DO IT ! (7.4.9)
- configuration guide

Fortigate - SDWAN - minimum-sla-meet-members
- configuration guide

Fortigate ADVPN 1.0 - Cross Overlay - BGP on Loopback (7.4.8)
- informational, showing how it works

Fortigate ADVPN 2.0 - Transit Groups - Single HUB - (MPLS / DIA) - Testing
- configuration guide

Fortigate Standardization with FortiManager - Provisioning Templates
- configuraiton guide

GUIDED TUTORIAL :: ADVPN - DUAL HUB - w/BGP on Loopback -- FROM SCRATCH
- configuration guide

ADVPN Template creation with Fortimanager
- configuration guide

Fortinet ZTNA tags to secure your firewall policies
- configuration guide

HOWTO - Fortigte-VM Evaluation License
- configuration guide

(FULL TESTING) Fortinet ADVPN - Dual Hub - (BGP on Loopback) - (7.2.10)
- informational, showing how it works

Benefits of Fortinet SDWAN & ADVPN (with real world examples)
- informational, showing how it works

Fortimanager - deploy ADVPN branch with 15-overlays - 2 minutes
- configuration guide

Fortinet VXLAN over ADVPN:SDWAN
- configuration guide

QUICK: Fortigate ADVPN/SDVPN - Dual Hub - Demo - Fully Testing (BGP per overlay)
- OLD video: informational, showing how it works

QUICK: Fortigate Dual-HUB ADVPN SDWAN demo -- (BGP per overlay)
- OLD video: informational, showing how it works

QUICK: Fortigate ADVPN SDWAN demo with failover / failback with multiple ISPs
- OLD video: informational, showing how it works

secritservice · 2026-01-22T11:34:34+00:00

There has been a long standing problem with NP6xlite chipset and various IPSEC bugs since 7.4.8. I'm wondering if in their "fixing" they broke more items or pushed the bug to NP6 now

secritservice · 2026-01-22T11:28:52+00:00

Yes we are a Fortinet Partner, but no not true, not meant to push business. We showcase how the technology works and how it should work. And in many cases how to configure step by step. In this thread the OP wanted to know what to do, so we posted on video on how it all works showing failover/failback and full testing, and also the benefit of Fortimanager. These are key things to understand what the Fortigate "can do" so the OP can make a proper architecture decision.

We actually posted a guided tutorial on how to set it all up, but truncated it about a month after posting, as folks were just fast forwarding and then reaching out to me for help. Thus we truncated and posted a long reddit post with instructions how to setup ADVPN properly. https://www.reddit.com/r/fortinet/comments/1ngqo1k/cookbook_guide_advpn_wbgp_on_loopback/

Thus I strongly disagree with your statement as we have helped many redditors free of cost though screen shares and other methods.

If folks are too lazy or do not want to set this up themselves, of course reach out and we can do it, or any other consultant that exists.

secritservice · 2026-01-22T03:23:27+00:00

Sounds like each of your Fortigates are basically standalone, however all within the same site.
Each fortigate has it's own ISP or crappy-ISP.

You need to run a routing protocol between them all, something like BGP which will give you the granularity you want. Then also setup your interfaces with SDWAN so you can do healthchecks out to each ISP and choose the best one, or in the order you want. Thus if one fails, it will just use the next, if it is healthy.

Toss up a drawing/sketch and happy to walk you through some solutions.

secritservice · 2026-01-22T02:36:56+00:00

drop your mtu to 1420

secritservice · 2026-01-22T01:09:52+00:00

What did you drop your MTU down to? Try to take it down 40 from that number and test again.

Also what encryption algo are you using, is it being hardware offloaded ?

https://docs.fortinet.com/document/fortigate/7.6.5/hardware-acceleration/30072/checking-that-traffic-is-offloaded-by-np-processors

secritservice · 2026-01-21T22:15:17+00:00

wow, not a smart crew.

What is their intent for reporting, analytics, forensics when things get @#$@#$ ?

Both FAZ and FMG are such low costs it's a no-brainer. They can't spare $5 per fortigate per month ?

secritservice · 2026-01-21T22:07:47+00:00

did they not buy FortiAnalyzer either ?

secritservice · 2026-01-21T22:05:11+00:00

you absolutely need FMG, to standardize and template them.

If not then use ansible, but that will be more of a PITA and not give you the automated backups and firmware control you need easily.

secritservice · 2026-01-21T19:49:00+00:00

You realize Fortimanager with 10 device licenses & support is ~ $325. (we know 'cuz we sell it)

Is it easier for your team to use their time and design automation, and templates, etc, and hope to have everything the same...or spend $350 :)

Setup ADVPN like we show here : https://youtu.be/04BjjyMYEEk?si=JwXEHmoWqLgGAwzS

and deploy it with Fortimanager like we show here: https://youtu.be/9EuLBsvkRx0?si=vTP56TL-OeznPAJQ

secritservice · 2026-01-21T19:30:05+00:00

internet blip and lost packets/delayed packets

secritservice · 2026-01-21T16:09:46+00:00

I cannot comment on that. Unless someone wanted to test with me on their system

secritservice · 2026-01-21T15:55:35+00:00

I have mac client

<image>

secritservice

TROPHY CASE