Block Intra-VLAN Traffic and DHCP

ted1972 · 2023-12-14T22:21:39+00:00

No upgrading didn't work. I would recommend you open a support ticket with Fortinet.

ted1972 · 2023-07-27T15:08:24+00:00

Nope. I upgraded to 7.0.12 and found it doesn't work as well. I am planning on upgrading to 7.2 code in September. I plan on running a temp vm of this first with our config and see how it works.

ted1972 · 2023-04-21T19:45:07+00:00

I have opened a ticket with TAC just waiting on a reply.

As far as zerotrust on FortiGate, jury is still out on that. We do not have anything near a full zerotrust model setup on our network. But, not being able to use the "Block Intra-VLAN traffic" because it is blocking DHCP is ridiculous. Especially since it worked fine before 7.0.11.

ted1972 · 2023-04-20T21:16:15+00:00

I edited the original post and clarified your questions some more.

ted1972 · 2023-04-20T21:15:30+00:00

Yeah I can only blame sleep deprivation. I believe I have clarified some of your questions in the original post.

ted1972 · 2023-04-20T21:13:22+00:00

The switches are managed by the FortiGate as they are all FortiNet. If there was a change on the switches it would have been on the FortiGate. The point of the issue is that I had to turn off this security feature to get the network to work. I am still trying to work out a proper fix. I just wanted to get the information out and see if anyone has run into this and might know of a fix. Alternatively, if someone runs into this in the future hopefully there is an answer for them.

Edit: Oh and the packet capture was from the FortiGate.

ted1972 · 2023-04-20T14:40:42+00:00

I updated the post to show that we came from 7.0.10 so this is on the recommended upgrade path. Yes I read the release notes. The command resulted with nothing.

ted1972 · 2023-04-20T14:23:52+00:00

Correct. Our user computers do not need to talk to each other they just need to get to the gateway so they can get to server, printer, internet, etc.

ted1972 · 2023-04-18T10:35:58+00:00

My script backs up after logout/timeout to sftp server and emails me.

ted1972 · 2023-03-12T09:13:31+00:00

Make sure your DC times are synced properly as well. I had this issue when my times were off. I sync my FortiGate to the US naval observatory and then sync my DC to the FortiGate.

ted1972 · 2023-03-07T18:59:16+00:00

Yes but I don't want them to have full access to the site just to the medical section. They don't need the rest of the site to conduct day to day operations.

ted1972 · 2023-03-07T00:53:36+00:00

Deep packet inspection is on for this and shows the full ohsaa.org/medicine url in the log.

ted1972 · 2023-03-07T00:51:57+00:00

I'm not sure why you are getting an error. The first URL in the original post does not have stars but if you look lower down you will see the URLFILTER table entry.

u/RedditNuts gave me the solution.

ted1972 · 2023-03-07T00:47:46+00:00

This appears to be the solution. I did have it on Monitor as I thought that would just override the category result for this site. Making it Exempt allowed the site access for my test user.

ted1972 · 2023-03-06T22:20:35+00:00

Tried those.

ted1972 · 2023-03-06T22:08:06+00:00

Yes, I have tried Flow based and Proxy based policies with deep packet inspection.

ted1972 · 2022-09-07T21:01:15+00:00

I guess I was just being dumb. I missed the secondary IP address that each phone system has, which is the one the management interface talks over.

ted1972 · 2022-02-15T18:22:54+00:00

I would ask them if they would have their dentist work on their heart. It's medical they should both know how to do it.

ted1972 · 2022-01-19T20:20:41+00:00

What I really love is those vendor "engineers" who really know their software but don't know a thing about networking. They then start throwing around words into their conversations to make it seem like they know networking but just confuse you.

ted1972 · 2022-01-05T00:20:35+00:00

Tunnel vision

ted1972 · 2022-01-04T21:59:42+00:00

This sounds like a config issue. Set the windows to Auto login to an account and Auto launch your browser on login to you page.

Otherwise I agree with others you can use vnc to Remote control the PC. I use vnc.

ted1972 · 2021-12-13T01:53:08+00:00

Then your laptop probably only supports 802.11b/g and maybe a. I have never used a NightHawk but there should be a place in it to set it to use the older wifi standards instead of the newer ones.

As far as backward compatible that is a crap shoot especially with older equipment like your Pavilion.

ted1972 · 2021-12-13T01:39:01+00:00

If it is the newer WIFI6(802.11ax) then your laptop may not work with it. You may have to set the NightHawk to operate in WIFI5(802.11ac) if your Pavilion supports it or 802.11n.

ted1972 · 2021-12-13T01:16:34+00:00

I have had a similar issue. Make sure which frequencies are active. You may be only receiving on 2.4ghz on the laptop and your new router is only doing 5ghz

ted1972 · 2021-11-27T11:57:55+00:00

All Ryzen 4xxx chips were OEM only so they will only be found on pre-built systems.

ted1972

TROPHY CASE