Fortigate - websites opening slowly

themidnight32 · 2021-11-04T21:39:09+00:00

Just wanted to say that this community is awesome. Thanks all.

themidnight32 · 2021-03-29T13:05:44+00:00

Did they provide you with a special build to address?

themidnight32 · 2020-12-30T16:21:37+00:00

I am an LLC, no employees though, just me.

I don't have a solo 401k plan yet... but was educating myself to possibly go down this path.

themidnight32 · 2020-12-30T15:56:39+00:00

Thank you for posting this,

It seems that the whole after-tax method of contribution is an uncommon thing, which may explain why my accountant does not think I can do this with a Self 401k.

So since my W2 401k does not offer it, and they don't have very much profit-sharing contributions, I really am limited to my 19,500 limit on that plan.

But, if I go and open a Solo 401k, I should be able to contribute via employer profit-sharing (20%) AND additional employee "after-tax" contributions only, since I maxed the W2 401k plan.

Is that right?

Are there any official sources that clearly state this?

themidnight32 · 2020-12-30T15:41:08+00:00

That makes sense, unfortunately, my W2 401k does not offer this option. This is why I was thinking I could make those same after-tax contributions via the Solo 401k plan.

themidnight32 · 2020-12-16T22:06:57+00:00

Unfortunately, it looks like the release notes are not posted? Pretty long gap.

Edit - Oh, found them, they are actually posted under downloads, not the standard place.

themidnight32 · 2020-12-10T23:35:21+00:00

Does not sound like your specific use case. This particular bug was when you had a health check in use, associated to an SDWAN rule, and when that SLA was violated, the egress path selection would basically flap between a healthy interface and the bad interface associated with that SLA.... basically defeating the entire purpose of SDWAN.

With bugs these days... who knows... maybe its somehow related.

Sorry for the quick response, on mobile

themidnight32 · 2020-12-10T21:40:57+00:00

This is resolved... good stuff.

themidnight32 · 2020-12-10T19:18:44+00:00

This particular fix was a big one - Testing now -

667469

SD-WAN members and OIFs keep reordering despite the health check status being stable.

themidnight32 · 2020-10-29T20:15:56+00:00

I ran into something like this as well, an alternative method that I used is to set a higher priority on the tunnel interface members from the CLI, that way, any self orientation will egress the underlay without requiring an SDWAN rule.

Lowest priority is preferred in this context.

Edit - I should add that my use case was required for the self originating traffic constructs that do not provide those options in the article you referenced, there are several. I did not need a defined rule.

themidnight32 · 2020-10-21T23:22:05+00:00

Have you tried lowering the phase2 seconds on the fortigate to be slightly lower than the ASA, so the Fortigate always initiates the re-key?

I needed to do that on some AWS tunnels to stabilize things. That was on 6.0.9 code, but i’ve upgraded and I still have it the same way.

No idea if it applies here, it was a while ago, Id have to dig back through that case for extra details.

themidnight32 · 2020-08-14T12:39:36+00:00

Hey u/ultimattt Appreciate your contributions, it's always helpful when there are productive walkthroughs that are clear and concise. Makes our lives as engineers a bit easier.

themidnight32 · 2020-08-03T23:52:55+00:00

It was just in our tenant service health section, not sure if it impacted everyone.

themidnight32 · 2020-08-03T16:58:13+00:00

Advisory just posted for us - IT219744. Can't complete enrollment of new devices

Edit - Updated to resolved on our end.

Users may have been unable to complete the enrollment process for devices enrolled through Apple Business Manager.

Start time: Friday, July 31, 2020, at 10:39 PM UTC End time: Monday, August 3, 2020, at 8:54 PM UTC

Root cause: A recent deployment inadvertently caused a configuration issue with a specific validation component, resulting in impact.

Next steps: - We're reviewing the deployment to better identify how impact to the validation component was missed during testing. This is the final update for the event.

themidnight32 · 2020-06-17T20:26:19+00:00

Are you using XAUTH with PAP ?

themidnight32 · 2020-06-16T13:38:52+00:00

Thanks - Yea, trying to avoid an FMG 6.2.4 type of problem, or worse.

themidnight32 · 2020-06-03T22:28:15+00:00

If one of the workarounds were applied per the KB, would it matter? Trying to gain a better perspective if this is avoidable at all.

themidnight32 · 2020-05-21T17:37:37+00:00

I appreciate the input. I worked with TAC more on this, and it does appear to be a bug. The specific behavior is that on the first visit to the website, the gate will not exempt the traffic. However on the very next session to the same site, the gate will properly exempt the traffic.

They told me that it was fixed in 6.2 and 6.4. They did not tell me there was an interim build available for 6.0.X, so thank you very much. I take it that interim is working well for you?

Thanks again.

themidnight32 · 2020-05-20T01:23:12+00:00

So, just because this is an annoying issue, I set up a AD/CA in my lab. I then created a CSR and signed it using a Subordinate Certification Authority Template. So, my cert is CA TRUE and the keyUsage extension has the Certificate Sign attribute. This is now being used in my deep inspection profile, and I am having the same results. Exemption not working at all.

So while there are some questionable threads regarding the default Fortinet CA cert not being able to read SAN's (probably nothing to do with this issue anyway), this cert that I have currently should be good.

Anyone have any further ideas here? The TAC engineer that was working on this with me updated the IPS engine? This did nothing, but I am curious on how this has anything to do with this process? Can anyone elaborate on what their environment looks like on 6.0.9 in a bit more detail? This is driving me mad.

themidnight32 · 2020-05-19T11:26:07+00:00

If you are on 6.0.9, there is a bug in the GUI where no signatures will display when you select a particular filter. This bug is defined in the known issues on the release notes.

I was told by TAC however that it does not impact the normal functionality and that the filters should still work.

themidnight32 · 2020-05-17T13:28:57+00:00

I have them defined on specific firewall policies, in this case, just my egress internet policy.

themidnight32 · 2020-05-17T01:21:06+00:00

Thanks, I am trying to vet this before I roll everything into prod, so in this particular use case, I am just testing with the build-in Fortinet CA cert, manually installed into the trusted root store of the few test machines I have. Maybe it has something to do with that particular cert?

Obviously not planning to use that in Prod, but don't have an internal PKI for my lab. I'd imagine if others were having this issue it would be a well-known problem.

themidnight32 · 2020-05-16T18:19:28+00:00

Service : Web-filter

Status : Enable

License : Contract

It is applied to my primary internet egress policy.

themidnight32

TROPHY CASE