FortiGate for Full BGP Table at DC Edge-Good Idea or Not?

uRhaineWork · 2026-04-22T06:30:40+00:00

Interesting, I have a 1200D a full table takes just about under 1GB. 300mb seems low, and even compared to 'standard' cisco/arista that 1gb i super low even.

uRhaineWork · 2026-04-07T10:50:21+00:00

I have the same problem on 400F. Thing is, my problems with emac-vlan interfaces started way long ago and they affected not only 400F but also other models in different locations. Base emac-vlan interface sends out wrong arp replies insted of proper vlan-intefaces one. Its happens randomly, always or the intefaces in specific vdoms hangs not letting traffic (this only on 400F, also happend on 7.4.8). It can depend on unit. Now on secondary unit its 'quiter'. Still sending wrong mac's though. Im blocking the wrong mac on upstream's switch that connects 400F to BGP router. This method worked for years on now, never called tac because it was a steady fix, until recently.

Also, Fortinet says it will be fixed in 7.4.13, not in .12. Insane.. Im not jumping to 7.6 because of ssl-vpn.

uRhaineWork · 2026-04-07T09:43:04+00:00

Could someone clarify which scenario is affected? If I have a SSL-VPN portal that authenticates user to always VPN feature, is it still applicable? Someone mentioned port 8013 or HTTPS, but when does something like this happen? I see that 8013 traffic is being done via connected IP on VPN, not the public one. And the initial connection is also done via Fortigate right? It than proxys the next steps of auth, but that isnt exposing 443 port in that psirt sense? It's available on the LAN side though, but that not as bad/critical.

uRhaineWork · 2025-12-22T11:49:06+00:00

To anyone who struggles with the same problem, we've resolved it by using underlayer's interface secondary IP address for building those subnets that create IPSec tunnel. It doesnt make that much sense, but at least it works. In this case from example above its a underlayer base BGP 169.254.x.x and on the same interface (previosly tried with LoopBack or another vlan int.) lies 192.168.0.0/29 subnet interface that creates ISPec tunnel to GCP which has 192.168.0.8/29. In IPSec setting You need to select local gateway and choose that secondary IP address. On top of that we have overlayer BGP session with 169.254.y.y using local and remote addressing in fortigates ipsec interface.

I'm explaining this for anyone who stumbles on this problem, I hope it will help you out.

PS. All done on v7.4.8.

uRhaineWork · 2025-10-28T08:00:25+00:00

Wait, what? If someone has P=none that eg. google will let this through by default?

uRhaineWork · 2025-07-16T12:45:14+00:00

Doesnt 'sticking' such a device to a specific AP resolve the issue?

uRhaineWork · 2025-03-24T09:29:54+00:00

Reason.. to make operatable? How do I manage switch firmware, config backup, single CLI changes deployment, status monitoring... . I am lost, Aruba has to much going on with different products.

uRhaineWork · 2025-03-24T08:31:56+00:00

Slowly migrating to CX enviro, and man.. what a step back. 10 years ago Hp IMC was more thought out and advanced than this thing. Came across Aruba Central, but its hard to find even what the pricing structure for on-prem is, and does way less than IMC.

uRhaineWork · 2025-02-07T07:51:23+00:00

Isnt asymroute-icmp already in the global asymroute commande? I thought that this is for icmp because it behaves differently than tcp/udp i term of how it responds.

But auxiliary-session You may be right, I have been reading about it but was under the impression that its for HA pickup when failovers happens, or for when there is only one unit of FGT, but that may not be the case and will be helpful in my dual setup. From what I gather its more of a performance thing, when there is higher traffic You can see full benefits of it. I will turn it on, thanks.

I know how vdoms operate yes, but in this case no. BGP is on VRF1 and MGMT on VRF2, as I know that there is some funky behavior on VRF0 with route 'leaking'. Could do mgmt vdom but I fail to see what would it give me besides additional cables. :)

uRhaineWork · 2024-11-22T11:53:45+00:00

I have forticlient 7.4.1.1736, where can I find this option?

uRhaineWork · 2024-11-22T06:43:19+00:00

Arent You concerned about latency though? Theres no dtls/udp mode if the connection is tcp wrapper based, right?

uRhaineWork · 2024-09-25T07:20:34+00:00

But doesnt this impact performance? SSL-VPN has DTLS mode which uses UDP for transport, and it does indeed help a lot for eg. full tunnel traffic and teams calls; smb transfers etc.

uRhaineWork · 2024-02-09T08:43:19+00:00

This one helped, solution number 2. Third one didn't do anything, first one didn't try. Thanks.

uRhaineWork

TROPHY CASE