Celebrating our Community: Thank You for an Incredible Month
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Recently active
Hi all,I read this article about restricting ipsec connections to certain countries.https://community.fortinet.com/fortigate-3/technical-tip-restrict-ipsec-vpn-access-to-certain-countries-94688When I attempt to implement it, I find that I cannot select any wan interfaces in an address object.In the article example (below image) it shows External (wan1) in the interface field but when I create a new address object it doesn’t show any active physical wan interfaces in the interface field.Would using the Zone that contains the wan interface work? We are running a Fortigate 81F with 7.4.12thanks
In what FortiOS version did this last work? The AI chatbots of the day insist it should still work, but the CLI is a mess.I need to monitor in real time interface OSI layer1 state change (simplest of requests)What is the best replacement in in version 7.2, 7.4, 7.6? diagnose debug console timestamp enable!diagnose debug disablediagnose debug reset!diagnose debug application linkd -1 diagnose debug application netlink -1!diagnose debug duration 0diagnose debug enable!
I am experiencing recurring FortiGuard DDNS failures causing VPN outages. Our FortiGate-100F (v7.2.12 build 1761) cannot update DDNS when our dynamic PPPoE IP changes.Issue:GUI shows "Unable to load FortiGuard DDNS servers list" error DDNS updates fail intermittently When IP changes, DDNS doesn't propagate new IP to public DNS Remote VPN users cannot connect via hostnameDebug output shows root cause:Certificate verification failed, error 62 (hostname mismatch) depth 0 Expected: ddns.fortinet.net Received: CN=sdns.fortinet.netFortiGuard DDNS servers (173.243.138.226) are presenting certificates for sdns.fortinet.net instead of ddns.fortinet.net, causing SSL verification to fail? Impact:Second VPN outage in 4 days Every IP change requires manual client updates Production access affectedTicket opened since May 21 - support has not addressed the certificate mismatch issue shown in debug logs.Is anyone else experiencing this? Is this a known FortiGuard infrastructure issue? Any workarounds
Hello Community, I would link to know does ull ports (x5-x6) can be use as fortilink interface in production? I am bit confuse because of this official document mentationed that x1-x4 can be use for the fortilink however I also read some other doc mentatined that any port can be use for the fortilik. And ull ports are not part of the Integrated switch fabric. https://docs.fortinet.com/document/fortigate/7.4.12/hardware-acceleration/589036 Fortigate 600f: v7.4.12Manage Fortiswitch:7.6.6Can some expert please confirm on this, I appreciate your guidance here.
We have some reports set up for specific devices and I went to add some newly installed devices to the reports. No matter if I edit, clone or create them all over again I get the same error: "The data is invalid for selected url". Does anyone know what the cause could be?(FortiAnalyzer version is the same as Fortimanager)
Greetings Im having some problems with my VXLAN over IPSec implementation. Im able to establish connection to the remote site. Telnet, SSH, RDP, VOIP is working fine but Outlook and some HTTP or HTTPS application don't work. I have read many article about this issue and all says that is a MTU or fragmentation issue. But I follow all the recommendation and nothing seems to work. First thing I notice is that VPN interface, Software-switch and vxlan mtu were set to 1370. I manage to bring the VPN and vxlan mtu to 9000 and Software-switch to 1500. My physical interface are all set to max mtu (9216). I also disable the honor-df bit but the maximum mtu that i can pass without fragmentation is 1472. And I think that is fine because 1472 + 28(header overhead) = 1500. But still cant get Outlook to work. I also adjust the mss in the policy to 1432 (1472-40). Also I lower my encryption to 3DES SHA1.My main FW is a 100F and the remote is a 60F. Im runnig 7.2.4. I will appreciate any
Hi guys, I hope you’re well. I have deployed a single FAP-241K-A unit and have configured the AP profile for both 5GHz and 6GHz radios. All the APs I currently have deployed are running dual 5GHz radio with 2.4GHz set as dedicated monitor with WIDS profile configured and I do not have this issue. I have the same SSIDs manually set on both the 5GHz and 6GHz radio but doing this causes issues with clients being able to connect to the SSID. At first this worked and the client connected but now I am unable to connect and receive an ‘access denied’. All SSIDs are WPA3 SAE with a mix of both bridged and tunnelled. If I disable the 6GHz radio I can connect with no issues so I know that this is the root cause. The device I am testing with doesn’t support 6GHz, but what is the best practice with this radio when you have a mix of devices with some being able to support and others not. Do I create a dedicated 6GHz SSID or are there settings that I can configure so that devices can select the
I have difficult to add switch Alcatel omniswitch 6860 can some one help.When I configure credential snmp is OK but CLI I can't connect it. When I test in fortinac console cli all is ok but in gui no.
Hi, I want to install FortiAuthenticator v8.x in Microsoft Windows Server 2025.Is this supported? Because in KB only Windows Server 2022 is mentioned.Thank you.
When you run a script on the web GUI/interface:If it fails, it provides absolutely no diagnostic debugging output to the user about why/where? I implore Fortinet, I beg you, please provide diagnostic output about the line number and/or command line that fails. Otherwise, we’re just guessing by taking shots in the dark; not a professional troubleshooting technique. Pasting the same script into the CLI is not the same execution environment as uploading it via the GUI. So one cannot reliably assume that warnings and errors will manifest the same. BONUS: It creates a historical event object (pass or fail run record), so why not save/cache the script code itself, and allow the user to “re-run” it ?
Hi, I can see from KB that the minimum VM specs for FortiAuthenticator installation is CPU 8, Storage 1TB, Memory 16GB.However, we only have 200 users. Can we reduce the specs to 500GB storage and 8GB memory? Anyone has done this? and is there any impact?
Hi,I have device FG100E which will end of live on this August, but the firmware still old v6.0.2. From upgrade path i did not see currently firmware i used, it’s only show v6.0.18.The question, it’s safe upgrade direct to v.6.0.18 and then follow the upgrade path? Thank you and appreciate
Dears when the hosts in registration or quarantine vlan persistent agent can’t communicate to fortinac because can’t resolve srv record and retrieve info about fortinac ip address but it retrieves portal and i think it is default in fortinacand when i search in this file i can’t find resolution for srv record except the portal.cat /var/named/chroot/etc/domain.zone.reg cat /var/named/chroot/etc/domain.zone.remso how can resolve this problem as when i search i find that for isolation VLANs it should there is record hosted locally in the fortinac
Hi everyone,We are currentrly switching SSL-VPN to IPsec on our good old FG-200e (v7.4.12)The problem I am facing is that we have a few VPN > SD-WAN rules with NAT enabled, so that the traffic goes trough the tunnel and arrives destinations (IP adresses of AWS servers and some other FQDN's) with our main link IP address.It works fine on SSL-VPN, but I can't make it work with IPsecAny ideas why this happens? Really need to sort this out ASAPThank you
Hi people ,i have in office Fortigate with ip public 87.xx.xx.xx, policy created for internet,for ipsec between other fortigate with ip public 193.xx.xx.xx. I created in windows vpn conection l2tp other ipsec for conect my pc office to mikrotik .Issue is when i try to conect vpn windows(client) to mikrotik(server l2tp/ipsec) this conection is down ,but when i try conect pc office to hotspot conection is successfully vpn l2tp/ipsec to mikrotik.Can anybody help with this issue,why my pc canont conect l2tp/ipsec to mikrotik?
Hello Community, We have a Fortigate 201G with firmware version of v7.2.x we have done some risk assessments on the fortigate and most of the risks identified shows all versions 7.2.x are affected by specified vulnerability, and need move to another version now we wanted to move to the version 7.6.x before we do that I wanted to confirm if our hardware can fully support it. and there wont be any issues or problems we might face later after the update.
Sporadically our Fortianalyzer (7.4.9) will stop sending logs to our main syslog log collector (Is still collecting from other systems). The “Log Insert Lag Time” will get up to 18 or so hours and keep climbing, when it should be like 20-30 seconds. When the analyzer is rebooted, logs start to flow and the time slowly starts to normal, and everything is ok. I’ve been trying to get that value via a command line, or SNMP to feed our PRTG system to monitor when it happens before it gets out of control. But, it seems to be allusive. Maybe I’m missing something? Perhaps there is another tell sign that I can look at? Or is it a feature request?Thanks!
Hi Team,We are planning to deploy FortiAuthenticator On-Premises for a client.Client Requirement: When users register their endpoint with FortiClient EMS (ZTNA), MFA should be enforced. The client wants users to have either SMS OTP or Google Authenticator (TOTP) as the second factor, with both options available for redundancy. Could you please confirm the following: Is this requirement supported with FortiAuthenticator? What are the prerequisites for implementing this setup? For SMS OTP, does FortiAuthenticator require a third-party SMS gateway/provider? If yes, which integrations are supported or recommended? Are there any licensing or configuration considerations we should be aware of before deployment? Any implementation guidance or best practices would be appreciated.Thanks!
Hi,I now create additional dialup tunnels on second wan for failover, but we use ftm to get notifications during login on mobile smartphones, the config looks like:FGT (ftm-push) # show full-configuration config system ftm-push set proxy enable set interface '' set server "PUBLIC_IP_OF_WAN1" set server-port 4433 set server-cert "Fortinet_Factory" set status enableendhow to configure ftm to have it working on WAN1 and WAN2 interfaces, because If I’m trying to configure it on both wan ports I get an error: FGT (ftm-push) # set interface "port24" "port23"command parse error before 'port23'Command fail. Return code -61
We have FortiManager 7.6.7 and two FortiGates running FortiOS 7.4.11.Under Security Profiles > SSL/SSH Inspection, we have an object named “SSL-EXCEPT” with set cert-probe-failure allow, and this profile is used in several firewall policies.In FortiManager, the same object also has allow configured. However, whenever we make any change in FortiManager, it applies unset cert-probe-failure, which is preventing us from managing changes on these FortiGates through FortiManager.How can we fix this?
Hello,I am using FortiOS 7.6.x. According to the documentation, I can block traffic based on both category and URL.Specifically, my URL filters use the *FQDN wildcard block. It works well with a few exceptions such as: *worldguesser.io or *crossyroadgame.io or *crossy-road.io. I don’t understand why these are getting through the firewall. Am I missing something?Category-based filtering is very broad and blocks two interesting domains:Group: General Interest - Personal https://boinc.berkeley.edu/General Interest - Business https://worldcommunitygrid.org/Is there a way to exclude certain domains from a category?Thank you
Hello , can we do user based ztna web proxy with using local user of Fortigate local database with mac binding , mean ztna web proxy is opened with only same user with same mAc of machine , otherwise rejected
Hi everyone,I'm running into a frustrating issue with the Device Identification (IoT/OT detection) feature on our FortiGate. Multiple Windows laptops on our network are being incorrectly identified as Samsung Galaxy Android 5.0 devices.Because of this, FortiGate is flagging a randomly list of potential IoT/OT vulnerabilities associated with Android Lollipop, which is obviously a huge false positive (especially since no one is bringing Android 5.0 devices to the network in 2026!). Here are some key details about our environment: The affected clients are purely Windows machines. There are no Android emulators installed on these laptops. This is happening across several different devices, which rules out a simple stale DHCP IP cache/re-use issue. Checking the CLI (diagnose user device), the MAC OUI belongs to Cloud Network Technology (standard for laptop Wi-Fi adapters), not Samsung. Has anyone else encountered this specific false positive recently? Any insights on which common Wind
API-TEST
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.