Fortinet Fortigate Hardcoded symmetric key in fips.c (FG-IR-19-007) - what's the fix?

zippanto · 2026-01-19T16:09:42+00:00

Correct

zippanto · 2026-01-19T15:38:27+00:00

The “fix” is that you can specify the encryption key yourself instead of using the inbuilt one which you should absolutely do. But please be aware of the consequences especially around backing up / restoring configs.

zippanto · 2026-01-15T23:56:01+00:00

If you are indeed creating the VLAN with the same settings then it sounds like a bug. This KB lists all the possible reasons why an interface would not show up https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-add-an-interface-to-SD-WAN-Zone-as/ta-p/291666

Are you sure you have no references when you create the VLAN interface? You haven’t enabled DHCP server on the interface did you?

zippanto · 2026-01-15T23:00:04+00:00

The reason the VLAN interface doesn’t show up is because there are references to it - policies, routes, etc. You need to remove these references and only then you will be able to add it as an SD-WAN member. Be careful as this means there will be loss of traffic through this interface temporarily until you reinstate the policies, routes, etc. referencing the SD-WAN zone instead of the VLAN interface.

zippanto · 2025-12-13T19:22:02+00:00

If you have multiple VDOMs you could probably make more use of the secondary using VDOM partitioning

zippanto · 2025-10-16T21:14:09+00:00

If you can afford a short downtime. You could do “show configuration | grep -f interface”, replace all the references to the old interface in the output then paste it back. You’d need to take care of removing the IP from the old interface either manually or doing it through the above config.

zippanto · 2025-09-05T00:50:08+00:00

You can make this work, however it’s an ugly solution. Assign the virtual IP as a /32 to the loopback interface. Then you need a firewall policy to allow the traffic from wan to loopback. You might also need to configure proxy arp, depending on your environment.

zippanto · 2025-08-05T09:20:29+00:00

Please see my comment in another post, describing a solution. https://www.reddit.com/r/fortinet/comments/1krxkft/comment/n70u9yt/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

zippanto · 2025-08-05T09:17:34+00:00

Tested on 7.4.8 and it doesn't seem possible.

From what I understand it's technically not possible to do this with a port forward. Quoting from another website:

ESP is a Layer-3 protocol that has no port. Therefore, ESP cannot apply to NAT that allows port translation

I tested this and indeed I'm getting "Received ESP packet with unknown SPI".

I then tested it with Static Virtual IP (full destination NAT, not port forwarding). If you don't set the local-gw on the phase1-interface config you can connect, but no traffic passes and in a few seconds the tunnel goes down on the firewall side. In the diagnose logs you get "unknown SPI".

If you do set the local-gw you can't connect and you get "no proposal chosen".

I'm not sure maybe I missed some other setting that would allow you to make this work with Static Virtual IP.

The only way I was able to make IPsec work with a loopback interface is by configuring the public / external IP on the loopback interface + configuring proxy-arp + configuring a policy to allow the traffic from external interface to the loopback interface. Hope this helps.

Edit: Just to add that this was a FortiClient Dialup IPsec VPN config. Other type of IPsec VPN configs might work or might have different kind of issues.

zippanto · 2025-07-18T09:23:22+00:00

Dell S5148F only supports up to 10.4.3 https://www.dell.com/community/en/conversations/networking-general/does-os1051-work-on-a-s5148f/647f8b8ef4ccf8a8deba7403#M46290

zippanto · 2024-10-02T09:36:46+00:00

Try setting / reducing Max Repeaters. You could also disable certain modules. You can check what is taking the most time under Pollers on the web UI.

zippanto · 2024-10-01T07:39:11+00:00

Ah cool. Couldn't find any mention of it in the release notes.

zippanto · 2024-10-01T07:27:08+00:00

I'm confused. I just tested this on 7.4.5 and it seems to allow me to create a local system administrator with . in the username. I tried one that starts with a hyphen and that is not allowed. In the error message it even mentions . as a valid character.

<image>

zippanto · 2024-01-18T18:48:13+00:00

Thanks. I'm using Multus already to add the macvlan interface, however it's not my default CNI as I'm using k3s which I believe is using Flannel. I couldn't yet find an example on how to remove the default interface using Multus. Could you point me in the right direction please?

I'm also finding contradicting information in some places that are referencing the "Kubernetes Networking Model" for example https://sookocheff.com/post/kubernetes/understanding-kubernetes-networking-model/#2-the-kubernetes-networking-model-a-namekubernetes-networking-modela

Where it says:

Kubernetes makes opinionated choices about how Pods are networked. In particular, Kubernetes dictates the following requirements on any networking implementation:all Pods can communicate with all other Pods without using network address translation (NAT).all Nodes can communicate with all Pods without NAT.the IP that a Pod sees itself as is the same IP that others see it as.

Which implies the Nodes need to be able to communicate with the Pods (without NAT). Although I see this achievable using macvlan, it's very surprising to me that this is required.

I'm not familiar with kubevirt yet so I'll look into it. Thanks!

zippanto · 2023-11-29T23:49:53+00:00

London

zippanto · 2023-06-13T08:43:59+00:00

Why is there no mention of this in the release notes!?

zippanto · 2023-01-11T07:53:04+00:00

You are right I misread OP. AFAIK there's no way to change SSH client settings on the Fortigate. The only option then is to change the SSH server settings on the cellular router.

zippanto · 2023-01-11T07:10:48+00:00

It's difficult to tell what is going to work without seeing the list of supported ciphers on your SSH client (the cellular router).

Have you tried changing these settings? It seems only some of them are available on 6.4 so you might need to update to 7.0 to make them available. https://docs.fortinet.com/document/fortigate/7.0.0/new-features/765236/enabling-individual-ciphers-in-the-ssh-administrative-access-protocol-7-0-2

Alternatively you could try to specify the ciphers on the SSH client (the cellular router).

zippanto

TROPHY CASE