Celebrating our Community: Thank You for an Incredible Month
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Recently active
Hi everyone,I’m having an issue when trying to activate the trial license on a FortiGate VM running on GNS3 (KVM).When I execute the following command:execute vm-licenseand confirm with y, I get this error:Requesting FortiCare Trial license, proxy:(null) curl forticare failed, 28 Failed to request forticare license 28. Failed to download VM license.Additional system information:FortiGate-VM64-KVM # get system status Version: FortiGate-VM64-KVM v7.2.13,build1762,260128 (GA.M) License Status: Invalid VM Resources: 1 CPU/1 allowed, 1992 MB RAM/2048 MB allowedThe VM image used:FFW_VM64_KVM-v7.2.13.M-build1762-FORTINET.out.kvm.zipThis is a fresh deployment on GNS3 using KVM.
Hi,after upgrading our FortiGate HA cluster from 7.4.12 to 7.6.7, we noticed a significant increase in the daily log volume sent to FortiAnalyzer.Environment:FortiGate: 2x FG-200F in HAFortiOS: 7.6.7FortiAnalyzer: VM, currently 8.0.0Logging: FortiAnalyzerBefore the upgrade, our daily log volume was normally below the licensed GB/day limit (15 GB). After the upgrade, the daily log rate increased by approximately 8–10 GB per business day, without any intentional configuration changes on the FortiGate side.For a normal business day we now see approximately: Application Control log: ~10 GB/day, Traffic log: ~9 GB/dayNo firewall policies were intentionally changed, and we did not enable any additional logging options manually after the upgrade.We have already checked the following:- no known configuration change was made on the FortiGate before/after the upgrade- application Control logging is enabled as before- SSL inspection is enabled- FortiAnalyzer is receiving logs correctly- The inc
Regarding a FortiGate system configured in an active/standby high-availability (HA) setup,we initially set the Device Priority value for Unit 1 to 200 and the Device Priority value for Unit 2 to 128 (the default).However, even though we hadn’t made any changes, the priority value on the standby unit had changed to 200, the same as the active unit. We attempted to manually change the priority value on the standby unit back to its original value of 128, but an error message stating “The entered value is incorrect” appeared, and we were unable to make the change.The system recognizes the active/standby configuration and no abnormalities are apparent in the HA setup, but what is the cause and how should we proceed?
How to Protect Fortigate from IPv6 Security Risks
Working on a branch office to HQ redundant vpn setup. Each location has 2 ISPs and I had planned on following this: Manual redundant VPN configuration | FortiGate / FortiOS 8.0.0 | Fortinet Document Library just using 2 tunnels (primary ISP to primary iSP, backup ISP to backup ISP) with static routes to force the backup tunnel over the secondary WAN at each location. Is there any drawback to this approach? I had considered using SD-WAN for the vpn traffic or possibly BGP but wasn’t sure if either offered a significant advantage in this situation. The branch office has a single /23 network and HQ has only 3 or 4 networks that need to be accessible. And the request is for the tunnels to utilize ISP1 as the primary when available.
Where I can find click house schema file for FortiAnalyzer ?According to docs.fortinet.com:Each log table stored in an SQL database contains log fields that can be used in datasets.You can view a full list of the fields available for each log type in the FortiAnalyzer ClickHouse Schema file available from the FortiCloud Support page.But I cannot find it.
Good day, everyone.I have been experiencing intermittent SPF false positives in **FortiMail 8.0.0**. In some cases, FortiMail reports that the sender's domain does not have an SPF record. However, after verifying the domain manually using both our internal DNS servers and public DNS servers, the SPF record is available and resolves correctly.I would like to know if there is any configuration or best practice that could help reduce these false positives. For example:* Is it possible to increase the DNS query timeout used by FortiMail?* Is it possible to adjust or reduce the DNS cache timeout?* Are there any recommended DNS-related settings for improving SPF validation reliability?One behavior I have noticed is that multiple emails from the same sender domain, received at nearly the same time, may produce different SPF results. Some messages pass SPF successfully, while others are rejected because FortiMail reports that no SPF record was found.Our environment consists of **two FortiMail
Hello dear community, I got a new customer that has an unlicensed FortiGate 50E and FortiAPs 221E on firmware 6.0.x. They want to replace the FortiGate with the 50G model but want to keep the APs for now. The target FortiOS for 50G would be 7.4.12. As the config would be converted/migrated, what would be the best upgrade path to avoid losing the APs management?Put the 50G on 7.4.12 and convert the 50E configuration as is Upgrade the 50E and 221E APs to latest possible 6.2 branch and then convert the 50E configuration for 7.4.12 Upgrade the 50E and 221E APs to latest possible 6.2 branch, convert the 50E configuration for 7.0.19, then upgrade the 50G to 7.4.12 Please let me know if more details are needed. Best Regards
Hello everyone,I am using a FortiGate 40F running FortiOS 7.4.12.I would like to know if there is any supported or unsupported method to prevent the FortiGate from saving Alert, Error, and Critical logs in the local memory.My goal is to stop these logs from being written to the internal log storage, not just hide them in the GUI or change their display.Has anyone found a solution, workaround, hidden CLI command, or TAC recommendation that can completely prevent these logs from being stored locally?Any help or experience would be greatly appreciated.Thank you.
Hi I tried migrating the FAZ-400E config to a FAZ-1000G, but after rebooting, the configuration wasn't applied.but migrating the same config to a FAZ-VM works without any issues.(OS versions are identical).
Hi,I recently implemented FPAM and I have a strange behavior with all the web launching sessions.The FPAM is in a subnet dedicated.My pc is on another subnet and the internal services and external(obviously) are on other subnets.In the middle there’s a Fortigate.I have also an ACL for deny the traffic to the internal services from my pc, so I must traverse the FPAM to reach the services.I launch multiple web launching sessions to multiple sites internal and external and after so much time, I can’t define how much, I receive some ERR_CONNECTION_TIMED_OUT from random sites.If I try to reopen the site, I can no longer access it; I have to wait a long time before it starts working again.From what I've gathered so far, connections are more stable if I use the site's IP address directly instead of the FQDN, but sometimes are slowly(But at least they don't time out.)When I have the reset, the FPAM is capable of ping and resolve the destination internal or external site, seems to be a problem
How i renew or get a new FortiGate trial license in VmWorkstation that i launched before with my Forticare account and now expired ??
If the endpoint was idle for some time then when i change the group on the NAC, I can see the fortinac not send the CoA to the switch.We can see here the last fnac send the CoA is 14:02:18 then i change the group for that host at 14:30 and there is no CoA bsend to the switch
Can Fortinac do the Revocation List to block certificate was revoked?
My scenario for contractor is they login to the network and get isolation network, then after enter the credential the device will connect to guest network and we must change the Host Role from Guest to Contractor then the device can access to the network.Vlan changing from isolation to guest and to contactor network is working fine except if vlan guest doesn’t have internet access then after credential entered then there are pop up in the browser say ‘Failed to detect a change in your network setting’ but vlan already changed to guest. When guest network have internet access then there no popup.Anyone know what url used by fortigate to detect that change ? My goal is to give internet access on guest network to specific url so the popup will not showing.
Hi, I have FortiGate-VM64 v7.6.7 running on VMware Workstation. When I access the GUI the page loads (no timeout) but it's completely white/blank.In Chrome DevTools Console I see:401 Unauthorized on all /api/v2/ calls Events websocket closed unexpectedly Reconnecting attemptsCLI works perfectly fine, I can login and configure via console. The interface has allowaccess http https ssh ping configured on the management port.VM has no active license (eval). Could this be causing the blank GUI?Anyone seen this before?
Hi everyone,I'm trying to integrate FortiWLC 8.6-5 build-8 (FortiWLC-500D) with Aruba ClearPass Guest (ClearPass Policy Manager 6.12.7.308288 on C3010 platform) as an external captive portal.Current setupFortiWLC 8.6-5 build-8 External captive portal: Aruba ClearPass Guest Authentication type: RADIUS Captive Portal External Server Type: Fortinet-Presence External URL: https://<clearpass fqdn>/guest/guest_register_3.phpThe captive portal profile is configured as:Authentication Type: radiusCaptive Portal External Server Type: Fortinet-PresenceSuccess Redirect URL: https://<default redirect url>Login flowClient connects to SSID.FortiWLC redirects the client to the ClearPass Guest portal.The login page receives all FortiWLC parameters correctly, including:magicusermacuseripserveripapmacapidapnodeidssidpost=https://<controllerip>:8081/vpn/loginUser? User enters username/password.ClearPass successfully authenticates the user against the authentication source.After successf
Ho we can make endpoint enter to isolation network if the persistent agent have fail result? And how often the persistent agent will doing the compliance scan?
So we recently migrated our SSLVPN users to IPSEC IKEv2 over TCP443, and so far no major issues, been quiet, outside of some small issues that we have been resolving pretty quick.Except a weird one popped up today that was being that I’m drawing blanks on. I had about 230+ users logged in, no problem, then all of a sudden when a user was trying to login for the first time or reconnect, any user who was trying to connect if they were handed the 172.26.2.180 IP, they would connect and then within seconds the Fortigate would delete the tunnel, and I don’t know why. If two people were connecting at the same time, one person would connect because they got a different IP, but the other user would have their tunnel deleted because they got the 172.26.2.180 IP. Makes no sense to me.Ran debugs for multiple users and you could see phase1 came up, phase 2 came up, and then within seconds the Fortigate would delete it only when it has that specific IP. Other IPs in that subnet no problem, no issue
Currently we have one main Internet line hosting many IPSec tunnel to AWS and other cloud providers.We plan to make use of the 2nd Internet line to create redundant IPSec tunnel to AWS.Will the traffic automatically swing over to the 2nd Internet line if the main line goes down or under maintenance ?
Hi Everyone, I have been having issues with IOT devices maintaining their registration with Apple HomeKit.Problem:I have several Smart Bulbs, thermostats, and TVs which I have registered with Apple HomeKit. I was initially able to get all the devices working where I was able to control them. After the Fortigate reboots, most of the time only 1 or maybe 2 devices will work after a reboot. It’s 8 IOT devices in all.Topology & Configuration:I have a 70G, 110G, FAP231F, and two FAP23JK. The AppleTV that acts as the Hub is on the same SSID as the IOT devices. The SSID is also configured in tunnel mode.Troubleshooting:I have disabled any kind of suppression functions for the SSID, I have a multicast rule allowing mDNS even though the devices are on the same SSID. I have Multicast Enhancement enabled. I have removed the devices and attempt to re-register them. I have enabled IPv6 using non-routable range. I don’t have any features enabled that would interrupt the _tcp.local DNS lookups fo
Hi. I am new to FortiClient EMS (and its Rest API).It looks like the Rest API could let us get a list of vulnerabilites for each endpoints.I have created my “EMS API Access” key but can’t seem to find a way to use it. Not even able to login!Does anyone have a PowerShell sample to get me started?
Hi All, I have the following situation: I configured a guest SSID with Disclaimer Only authentication. I would like to configure the session timeout to 3 hour, and the renewal frequency to 1 hour (after the session time out, the user can not authenticate to the ssid until 1 hour). Is it possible to configure that?I tried to configure this field from FortiManager: captive-portal-auth-timeoutBut it looks like this field doesn't exists on our Fortigate. Environment: Fortigate40F with FortiOs 7.2.2Fortimanager 7.2.1 OSFortiAP 231F 7.2.1 OS Thank you! Best Regards,Istvan
Hello everyone,I would like to request your support in understanding how to proceed with the following situation. I recently took a Fortinet certification exam through Pearson VUE in the online proctored modality. However, when checking the exam status, it appears as “Voided.”So far, I have not received any email from Pearson VUE or Fortinet explaining the reason for this cancellation, so I am unsure of the cause or the next steps to take.Could someone please guide me on how to proceed in cases like this?
Hi FNAC adminsFortiNAC-F 7.2.9.Do you know a way to show/set device model configuration in CLI or via Linux shell (enter-shell).
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.