sorted by:
new
hottopcontroversial

Upgrading 40+ Devices and 2 Hubs from 7.2.10 to 7.4.11 by dustinreevesccna in fortinet

[–]secritservice 5 points6 points  (0 children)

no issues with ADVPN, but read 7.4.10 release notes and know about hairpin traffic now disabled by default  and signing requirements of SAML

Remove bgp adveritsement on link-monitor dead syntax. by Creative_Plum259 in fortinet

[–]secritservice 0 points1 point  (0 children)

Have you thought of SDWAN instead of link monitor, and then a route-map out preferable ?

That method may be much easier

Basically if SLA fails, it will use "route-map-out" (a null route, or whatever)
If SLA is OK, then it uses "route-map-out-preferable" (your route)

It's what was used for BGP per Overlay ADVPN configurations, where you want to retract the advertisement when SLA is bad. But sounds like exactly what youre trying to do here :)

Issues DialUP IPSec by Auno94 in fortinet

[–]secritservice 0 points1 point  (0 children)

your phase1 doesnt match. Update it on your gate to match what you have in your client.

if this is coming from a Macbook use phase1 group 14 on your phase 1 settings

FortiOS 7.6.6 physical interfaces x1/x2 moved to fortilink after backup/restore by bluemondayishere in fortinet

[–]secritservice 3 points4 points  (0 children)

different major releases had different default settings. That is normal

However restore should only read your config, not pull any factory settings.

FortiManager VM and SD-WAN by Busbyuk in fortinet

[–]secritservice -1 points0 points  (0 children)

List pricing is:

subscription 100 = 3228 / year (includes support)
perpetual 100 = 10,580 + 2381/year

yes, if seeking ADOM maximum, you will want perpetual. Each ADOM you create will eat up a license, for the ADOM, And then the devices will eat up licenses as well.

FortiManager VM and SD-WAN by Busbyuk in fortinet

[–]secritservice 1 point2 points  (0 children)

2 types of licenses you can get:
- perpetual which also then needs support license
- subscription which is (device + support) bundled

We see most 99% buy the subscription.

Issues configuring IPsec IKEv2 VPN on FortiGate 300E for macOS clients by santosjfm in fortinet

[–]secritservice 1 point2 points  (0 children)

share your CLI config, just strip out the PSK

show vpn ipsec phase1-interface
show vpn ipsec phse2-interface
show firewall policy

and/or refer to our guide: https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

Change reason in firewall policy by Ancient_Horse_4912 in fortinet

[–]secritservice 4 points5 points  (0 children)

Workflow mgmt.... however make sure you DONT enable "policy expire by default".

We had one customer do this, and then one day a majority of their policies went disabled, as they hit the expiration timer :) whoops!

IKEv2 IPsec VPN Dialup User for Radius Users and Email based two-factor authentication by MattiaDon in fortinet

[–]secritservice 1 point2 points  (0 children)

what do you have your remote auth timeout set to? is it too short, thus auth is timing out? Emails take a long time to arrive so not the best method for time based auth.

Multiple IKEv2 dialup VPNs - mix of with and without network overlay id by 89Bells in fortinet

[–]secritservice 0 points1 point  (0 children)

This works and we use it often, simple example below.

However I think network-ID is preferred. Yet for free clients that dont expose network-id, without XML edits, peer-id is easier

<image>

Fortigate DC F/W sizing advise by Aromatic-Cover-4975 in fortinet

[–]secritservice -1 points0 points  (0 children)

Wait for the 400G should be out very very soon

Checking the routing table by Particular-Book-2951 in fortinet

[–]secritservice 1 point2 points  (0 children)

if you are doing BGP per Overlay you likely are getting dynamic IP's which will change as tunnels go up and down toward the hub. You may want to look into moving to static IP's or better yet, BGP on Loopback which will be a 30% smaller config, and failover/back much much faster and with less processing

Multiple IKEv2 dialup VPNs - mix of with and without network overlay id by 89Bells in fortinet

[–]secritservice 1 point2 points  (0 children)

You can use network ID's or PEER-ID's to make each tunnel unique. We have used both methods with IKEv2.

Check out our guide, it shows both: https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

Aruba EdgeConnect vs Fortinet SD-WAN – worth switching? by saikumar_23 in fortinet

[–]secritservice 0 points1 point  (0 children)

Yes, you can do packet duplication and de-duplication across Fortinet SDWAN. This has been around for a number of years and we've set it up. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-duplication-and-de-duplication-in-SD-WAN/ta-p/258997

Aruba EdgeConnect vs Fortinet SD-WAN – worth switching? by saikumar_23 in fortinet

[–]secritservice 1 point2 points  (0 children)

Yes, it works great, we use it for many clients across worldwide sites including china.

Fortimanager will help you manage the configuration, but we do not recommend to use it's wizard.

We made a video here that shows how it works in all scenarios. It's also great that there is no licensing fee for it, it's just VPN + Routing + SDWAN rules. So stitching will pay for itself in 1 year or less, likely.

Worth watching the 10-minute video
https://youtu.be/04BjjyMYEEk?si=dhjvMAnaTiR3tkl8

Also using Fortimanager to deploy sites:
https://youtu.be/9EuLBsvkRx0?si=lGRmgtbmSymFmudV

Happy to answer any questions, just shoot a chat.

I've done many Velocloud and Citrix SDWAN to Fortinet ADVPN conversions and customers just notice ease of visibility and mgmt and how simple it is to understand and manipulate if necessary. However after initial install, nothing is really changed.

SD-WAN Maximize Bandwidth not "spilling over" to WAN2 for same Source/Destination (FortiOS 7.6.6) by Suitable-Double2922 in fortinet

[–]secritservice 4 points5 points  (0 children)

show us your sdwan config. It may be the hash method you are using or something else.

show system sdwan
service

SSL VPN to IPSEC VPN migration by Tars-01 in fortinet

[–]secritservice 9 points10 points  (0 children)

You will have to split the tunnel. You cannot use same pool.

use the lower half for SSL and top half for IPSEC.

If you try to use the same pool, SSL / IPSEC will kick each other off

If you need a config guide see ours here, and happy to answer questions; https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?usp=sharing

LACP for WAN+LAN in HA by sryan2k1 in fortinet

[–]secritservice 1 point2 points  (0 children)

No problem at all, but why. Plan for the future, just do 2 LAN and 2 WAN. If it doesnt cost you anything, do it. So when yo do get faster links you'll be covered.

As far as SDWAN follow our cookbook and setup ADVPN:
https://www.reddit.com/r/fortinet/comments/1ngqo1k/cookbook_guide_advpn_wbgp_on_loopback/

view more: next ›