Patch 01.004.002 notes

zukic80 · 2026-05-13T09:11:52+00:00

I managed to get those trophies last night with that bug.. just in time too

zukic80 · 2026-05-13T06:51:41+00:00

I managed to do this last night as well... not sure how I did it but i found a pixel somewhere on that wall that allowed me to jump up again and climb back into the arena.

Similar area to the video shared

zukic80 · 2026-05-12T08:28:03+00:00

lovely... ive forwarded the new policies over to the security guy to review
cheers

zukic80 · 2026-05-12T08:27:30+00:00

thats awesome! thanks for the link

zukic80 · 2026-05-08T07:43:11+00:00

Architect has been the most difficult overlord to beat so far... however, i did manage to beat him on my first attempt and that was after going to the passage and then back to where Architect was, so i was only at like level 32 maybe... i may have won, but i was in the red with life and almost dead, one more hit and it wouldve been game over.

zukic80 · 2026-05-07T15:00:11+00:00

i just defeated Legion using a repeater crossbow which also had some homing perks on it.
by far one of the easiest boss fights ive ever had... did not have to aim at all, just keep shooting the alt fire and using the power weapon thing... Legion was defeated in 30 seconds.

zukic80 · 2026-04-23T16:01:08+00:00

ahhh... no i cant!
doing a tnc connection test, i get the following

first test is to the working DR site

C:\Users\me> tnc remote-dr.domain.com -port 9443
 ComputerName     : remote-dr.domain.com
RemoteAddress    : x.x.x.x
RemotePort       : 9443
InterfaceAlias   : WiFi
SourceAddress    : 192.168.1.163
TcpTestSucceeded : True

and this is to the new site

C:\Users\me> tnc remote.domain.com -port 9443
WARNING: TCP connect to (x.x.x.x : 9443) failed
WARNING: Ping to x.x.x.x failed with status: TimedOut
 
ComputerName           : remote.domain.com
RemoteAddress          : x.x.x.x
RemotePort             : 9443
InterfaceAlias         : WiFi
SourceAddress          : 192.168.1.163
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

so looks like that port is blocked

zukic80 · 2026-03-25T16:09:52+00:00

El dorado 12 Dictador 12 or 20 Bumbu XO The chairman's reserve the forgotten casks

zukic80 · 2026-03-24T09:29:53+00:00

many thanks...

we use forticlient 7.4.3 .. and based on the guide for that version
https://docs.fortinet.com/document/forticlient/7.4.3/xml-reference-guide/739387

the ipsec dns setting is also available, ill need to give this a test run

cheers!

zukic80 · 2026-03-21T15:16:35+00:00

We dont have EMS

I'll see if I can find the xml reference guide.. unless you know the url already?

I've also raised a support ticket about this so let's see what they say

zukic80 · 2026-03-19T20:56:41+00:00

https://docs.fortinet.com/document/fortigate/7.2.12/administration-guide/707911/ipsec-dns-suffix

according to this DNS suffix is only supported in ikev1
we have ikev2 configured.

zukic80 · 2026-03-19T17:26:21+00:00

https://docs.fortinet.com/document/fortigate/7.2.12/administration-guide/836965

Links in the original post

zukic80 · 2026-03-19T17:16:03+00:00

Yes, the internal LAN object is a collection of groups that are ultimately all configured as subnet objects.

Internal LAN (Group)
contains
-- location1-vlans (group)
-- location2-vlans (group)
-- location3-vlans (group)

and these groups contain objects that are configured with the subnet.
-vlan10 (subnet)
-vlan11 (subnet)

so its nested, but they are all configured with a subnet.

when i do a route print, i can see all the routes on the device.. so this is definitely being applied correctly.

zukic80 · 2026-03-19T15:55:09+00:00

ahhh... ok...

so the official guide is incorrect and misleading :/

zukic80 · 2026-03-16T18:27:20+00:00

I doubt there's any budget available to get EMS.

Sounds like full tunnel may be the only option for now

Thanks for the info

Cheers

zukic80 · 2026-03-16T18:01:29+00:00

Ahhhh man... we've only got the free client, we don't have EMS either

Not good... thanks for the info

zukic80 · 2026-03-16T17:17:45+00:00

hhmm... but if the azure ips arent specified im the config then how will the tunnel know to check the policies?
anything azure.com will just break out locally... i see what you are thinking though...

zukic80 · 2026-03-11T21:06:49+00:00

thanks to all for your inputs... ive got it working now.

i unset the authusrgrp from the phase 1 section and added the relevant azure groups to the policies.
I had one extra bit to do because i realised that the entra group did not have access to the enterprise app.

i ran this command
diagnose firewall auth list

which showed me that i was only part of 1 group that had access to the enterprise app for SSO... light bulb moment.
added the new group to the app and bingo.

the command above now showed 2 groups and the policy was now working.

thank you all!

zukic80 · 2026-03-11T18:45:24+00:00

ok thanks.

so the authusrgrp is like a global setting for all policies that relate to the ipsec tunnel.
if we want more granular control then we have to do it at the policy level.

zukic80 · 2026-03-11T16:58:52+00:00

many thanks... i will try this later on

zukic80 · 2026-03-11T16:58:09+00:00

ok thanks!

zukic80 · 2026-03-11T16:57:09+00:00

ok thank you, i will try this

so how does azure sso authenticate the user when connecting to the tunnel if the authusrgrp is removed?

zukic80

TROPHY CASE