Support Forum

Hey everyone,​I'm currently working on my PFE (Graduation Project) focused on deploying a Zero Trust Architecture using the Fortinet Security Fabric. I’m finalizing the deployment strategy for the FortiClient custom installer distribution, and I'd love to get some architectural feedback from the community.​The Goal: Securely distribute the custom installer generated in EMS to remote endpoints during an initial onboarding period, and then tightly lock down registration afterward.​The Environment: My core EMS server lives inside the secure Server LAN.​For both options below, the download page is protected by a FortiWeb WAF that requires Active Directory (AD) pre-authentication before a user can access the installer. However, given the recent high-severity vulnerabilities (like the 8013 auth bypass CVEs), I am highly paranoid about zero-days and expanding the internal attack surface unnecessarily.​Here are the two design paths I am debating:​Option 1 (Dedicated DMZ Server + WAF + AD Auth)

Hi guys,anyone had any experience with cisco webex calling and fortigate. basically SIP traffic are encrypted and sent over tcp 8934 via fortigate to internet (webex).  we have been experiencing, one way audio, transfer fails, unable to hold and resume , drop calls (all intermittent).  These usually points to SIP ALG issue but it is disabled.am I missing anything on firewall?  any other way to double confirm if those packets are dropped due to alg? i would really appreciate some insights pls.

Creating a bridge SSID with dynamic VLAN assignment. So far so good. Two wireless clients in that network. For the first period (some minutes) everything works ok, but then arp requests for the 2 devices are not answered. Setup:-FG61E 6.4,-FAP221E 6.4- FGT and FAP are connected over hw-switch internal,- FGT has VLAN interfaces on internal defined Troubleshooting:brctl showmacs br.2020 - lists all 3 MACs and their interfacesping from FAP works in the first perioddiag_sniffer br.2020 none - shows the arp requests from FAP or from FGT default gateway, but is not answered.  Pinging from one WLAN Client to the other WLAN Client also seems to be affected, but sometimes it works for them but it does not work from FAP or FGT, or it works for all again for a period of time. Pinging IPv6 local-link addresses work without any issue? Last: If all WLAN Clients are put back into the standard Bridge SSID, this behavior does not happen.  Strange is also tha

Hi there, Has anyone used Fortigate permanent license to take backup using automation stitch. Could you please if it works If am using permanent trail license feature.  Thank you in advacned.

Good afternoonDoes anyone know what happened to the release of version 7.6.7? It was supposedly coming out on Thursday, May 21st, but it's already the 29th and there's still no news. I'm having the DNS proxy bug, so I absolutely have to stay on 7.6.4 and can't risk upgrading to 8.0.

Hello, I have been experiencing the following phenomenon concerning multicast streams on a FortiGate 300E : - after a few hours or days of viewing multicast video streams, one stream (not always the same) will become unavailable on all firewall ports except for one port (but not always the same). The IGMP subscription and PIM route (dense mode) are still in the FortiGate's tables for all the ports requesting the stream. - I tried clearing multicast routes, igmp groups, multicast sessions and the command "execute router restart", none of this will get the multicast stream back. However, if I reboot the firewall or if it goes to the failover firewall, I will get the stream back.  - If I use the "diag sniffer packet" to see the multicast stream on the one port where it is still available, there are no multicast packets (and no packets dropped by kernel, I tested with auto-offload enable and disabled). However I can see the multicast packets in wireshark on the cli

Hello Fortinet Support, We are facing an issue where EMS logs are not being ingested into Forti Analyzer. At present, only FortiClient logs are visible, but EMS server activity/logs are not showing up.Details:Product: Forti Analyzer & FortiClient EMSIssue: EMS logs not ingesting/forwarding to Forti AnalyzerObserved: Only FortiClient logs are displayedExpected: Both FortiClient and EMS logs should be ingested for full visibilityRequest:Could you please assist us in troubleshooting and resolving this? If any specific configuration or version requirements are needed for EMS log forwarding, kindly provide guidance.

How to apply the Replacement Message in Security Profile in your Policy when accessing the blocked websites?

Hello,I am trying to test if I can configure endpoint users to connect to a certain PoP in FortiSASE instead of the one nearest to their location. This is needed as some of our users have clients that enforce GeoIP filtering. An example is we need some of our users in the APAC need to connect to our US PoPs as their client only allow US and Canada IPs in their system.Pleas help.Thank you!

Hello,is there any way to get prepared for NSE1 other then Fortinet Learning Center ? Thanks

Hi All, I have issue with F50G automatically upgrade to the latest patch 7.4.11 to 7.4.12 while the contract is expired.It keep sending Email with message “This installation is forced and cannot be cancelled”. It has failed to install multiple times and keeps rescheduling. I checked the system events, which show that the download failed. Do you have any ideas on how to fix this?I tried with this guide , and no lucks.https://docs.fortinet.com/document/fortigate/7.4.11/administration-guide/320693/required-firmware-upgrades-for-fortigate-appliances-with-invalid-support-contracts-or-that-have-reached-eoesDiagnose log:[989] fds_load_upg_matrix_map_img_id: Same major.minor: Patch 11 leads to Patch 12[999] fds_load_upg_matrix_map_img_id: Auto-upg chooses patch 7.4.12 (b2902)[1002] fds_load_upg_matrix_map_img_id: This upgrade will not be forced upgrade[989] fds_load_upg_matrix_map_img_id: Same major.minor: Patch 10 leads to Patch 12[1013] fds_load_upg_matrix_map_img_id: Auto-upgrade has chosen

I try to push 802.1x profile for wired connection from intune with below configuration but the profile not yet pushed even after more than 3 days.Anyonw know why?and for the client authentication should i choose PKCS or SCEP? 

HiDue to the reduction in the maximum certificate lifetime, we need to frequently upload local certificates to FortiWeb in the future.My environment uses a true transparent proxy mode, can I change it to use Let's Encrypt? If I do so, the certificates used on FortiWeb and the real server will be different. Will this cause any connection issues?Or is there a way to upload a local certificate and have it automatically applied to all server pool members?Thanks.

Hi everyoneWe are trying to block users from bypassing our web filter using Cloudflare WARP (1.1.1.1).We do not have Active Directory (AD) or GPO controls. Users are running WARP as portable apps directly from USBs (or people who’s already downloaded it before we noticed) so endpoint/execution-level blocking is out of the question.Our network architecture is constrained: a WatchGuard firewall NATs all LAN traffic into a single IP address before passing it to our core FortiGate.The problem we blocked the standard Cloudflare CDN IP lists, but already-registered/installed WARP clients bypass App Control by falling back to TCP/UDP 443.What are the exact destination IP ranges and custom ports used strictly by the WARP client/WireGuard/MASQUE tunnels (and not standard Cloudflare CDN web traffic) that we can deny on both firewalls?Any advice on blocking this connection fallback without breaking standard web traffic to sites hosted on Cloudflare? Thanks!

Hello everyone, We have been trying for weeks to establish a stable connection between two data centres. Our router is the Sophos Appliance and the remote site uses the Fortinet cluster. The connection is established successfully. Ping works, but then timeouts occur, meaning ping is no longer possible – for 2 minutes, then it works again for 30–40 minutes, then a timeout for approx. 10 minutes, then it works again for 30–40 minutes, then a timeout for approx. 20 minutes, and so on. We have established that Phase 2 seems to be causing the problem here during ‘re-keying’. We have already tried all possible settings here. Without success. Does anyone here have any idea what the problem might be, or has anyone perhaps encountered a similar scenario before? I would be grateful for any assistance. Peter

After successfully log in via web. The browser gets redirected to login screen and it keep doing this forever. When asked for a license i chose evaluation license and fill the Form with my Fortinet account. Different commands gives me different outputs, i.e get system status shows:FGxxxxx # get system statusVersion: FortiGate-VM64-KVM v8.0.0,build0167,260420 (GA.F)First GA patch build date: 260420Current Security Level: HighFirmware Signature: certifiedVirus-DB: 1.00001(2026-04-02 13:48)Extended DB: 1.00001(2026-04-02 13:48)Extreme DB: 1.00001(2026-04-02 13:48)OCR DB: 0.00000(2001-01-01 00:00)AV AI/ML Model: 0.00000(2001-01-01 00:00)IPS-DB: 6.00741(2015-12-01 02:30)IPS-ETDB: 6.00741(2015-12-01 02:30)IPS-MLDB: 0.00000(2001-01-01 00:00)APP-DB: 6.00741(2015-12-01 02:30)AIAP-DB: 0.00000(2001-01-01 00:00)Proxy-IPS-DB: 6.00741(2015-12-01 02:30)Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)Proxy-APP-DB: 6.00741(2015-12-01 02:30)Proxy-AIAP-DB: 0.00000(2001-01-01 00:00)FMWP-DB: 0.00000(2001-01-01 00

Hello Team,I am facing an issue with the Fortinet FortiGate 30G firewall during the firmware upgrade process.Error Message:"Image upgrade failed. This firmware image didn't pass the signature verification." 

In an HA setup using FortiGate 200F, if the primary firewall is connected from the LAN port to the server, should the secondary firewall also be connected the same way?

Hello community,   I have an IPsec VPN with IKEv2 connected to FortiClient 7.4.5, which connects perfectly when I log in with a local user created in Forti. The problem is when I log in with a domain user; it doesn't connect and I get the following error: "IKE message other than DPD retransmit to maximum". Could you lend me a hand?   Thanks

Hi all, I am using Forticlient EMS cloud with Fortigate to achieve ZTNA. We have some endpoints tag changed for some reason, and we wanna know the reason to resolve the issue. But seems the Fortinet log only told that tag was assigned/unaissgned to a EMS client. How could I know the details rather then “guess how” or “open ticket tac” ?  

Many internal systems are querying public DNS servers, but it’ll probably take a year before we can address off of these. Consequently, we are investigating if it’s possible to NAT all outbound queries to a pool of 4 different public DNS servers and use something like the health check monitor to ensure the servers are up. I see how to do this for a single public DNS, but I don’t see how to get all the way through the configuration. We’re using central NAT. Thank you.

Hi, i have installed FortiClient 7.4.3.4726, and configure vpn to connect in customer vpn, but the connection don’t works, i have bellow error:[2026-05-27 12:01:21.6932022 UTC-03:00] [12040:11004] [FortiVPN  2041   error] fortivpn::StateMachine::HandleTunnelConnectFailed session 1's (.\josan) vpn connection failed (reason: "Failed Unknown")[2026-05-27 12:01:21.6958494 UTC-03:00] [12040:11004] [FortiVPN  2370    info] fortivpn::StateMachine::HandleTunnelDisconnected "Agrex do Brasil LTDA" is disconnected.[2026-05-27 12:01:21.6968655 UTC-03:00] [12040:11004] [FortiVPN  2406    info] fortivpn::StateMachine::HandleTunnelDisconnected disconnection reason: 13, ("Failed Unknown")[2026-05-27 12:01:21.6968739 UTC-03:00] [12040:11004] [FortiVPN  2432   error] !!! fortivpn::StateMachine::HandleTunnelDisconnected session 1 (.\josan) "Agrex do Brasil LTDA" disconnected unexpectedly![2026-05-27 12:01:21.6973074 UTC-03:00] [12040:11004] [FortiVPN  2446    info] fortivpn::StateMachine::HandleTunnelDis

Hello everyone,I am working on a FortiAuthenticator 8.0.3 deployment and I need to apply a usage limit to AD users authenticated through FortiAuthenticator.The goal is simple: after the user logs in to the captive portal using their Active Directory credentials, they should be allowed to use the network for only 1 hour.I found this old Fortinet KB article from 2019:https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Usage-Profiles-not-enforced-for-RADIUS/ta-p/198682In the article, there is a note saying that Usage Profiles can only be applied to local users and, starting from version 6.5, to manually imported LDAP users.My question is:Does this limitation still apply in FortiAuthenticator 8.0.3?Or is it now possible to apply a Usage Profile directly to a Remote LDAP group, LDAP directory group, or LDAP filter, without manually importing each LDAP user into FortiAuthenticator?In the current FortiAuthenticator documentation, the Usage Profile option appears available under

HelloI have issue with registring trial license in my FortiGate VM in Hyper-V. I’m registred product and download lic license from portal but when I import license, VM don’t recognize license.Version in my Hyper-V is FortiGate-VM64-HV v8.0.0,build0167,260420 (GA.F).Can you help me to install license successfully?Best regards,Marin Mihajlovic

Hi All, I have the following situation: I configured a guest SSID with Disclaimer Only authentication. I would like to configure the session timeout to 3 hour, and the renewal frequency to 1 hour (after the session time out, the user can not authenticate to the ssid until 1 hour). Is it possible to configure that?I tried to configure this field from FortiManager:  captive-portal-auth-timeoutBut it looks like this field doesn't exists on our Fortigate. Environment: Fortigate40F with FortiOs 7.2.2Fortimanager 7.2.1 OSFortiAP 231F 7.2.1 OS Thank you! Best Regards,Istvan