Support Forum

If the device authenticated based on Entra ID using Captive Portal, then can we assign the vlan based on the Entra Group?

Centralized Control: Adding Remote FortiGate firewall to FortiManager  In this video, we dive into the specifics of FortiGate SDWAN and demonstrate how to integrate your FortiGate devices with FortiManager. We cover the entire fortinet configuration process, ensuring a smooth setup for your network management. This guide is perfect for anyone looking to optimize their fortinet firewall setup within an SD-WAN environment. https://youtu.be/jw84ZuOn8zw

Hi everyone! I've been reading some articles and guides. But I am still not confident with what I have gathered. So I would like to kindly ask your experiences on proper setting up of HA for 100F (or any model if applicable)Long story short we will just reuse 2x 100Fs from one of our site which has been decommissioned to a new existing site.  This is my plan: 1. Turn on Firewall-A2. Factory reset the firewall.3. Configure management interface IP via CLI4. Once reachable via GUI, configure the HA (mode, priority, group ID, group name, password, heartbeat interfaces, heartbeat interfaces priority, mgmt interface reservation and gateway)5. Save, turn off the firewall A.6. Turn on Firewall-B. Repeat all the steps above.7. Turn off firewall-B.8. Connect the HA1 interfaces of the cluster units together9. Connect the HA2 interfaces of the cluster units together10. Power on both of the FortiGates11. configure everything in the cluster as if it is a

Te lo dejo mejorado para foro (más claro, técnico y natural :backhand_index_pointing_down::(Hi all,I’m working on a Hub-and-Spoke IPsec VPN setup where the Spoke site is using a FortiExtender (LTE) as the WAN interface.I would like to know if there are any special considerations or required configurations when using a FortiExtender on the Spoke side.Currently, I’m facing the following error:"fext_wan IP is 0"It seems related to the LTE interface, which is expected to obtain its IP dynamically. Thanks in advance.

Hi.Here we are looking for a replacement of our working firewall 1200D model.last few days based on my firewall performance details• Inbound Traffic: 2.12 Gbps• Outbound Traffic: 1.1 Gbps• CPU Utilization: 12%• Memory Utilization: 47%• Session Rate: 91 sessions/sec• Concurrent Sessions: 88,562, New Sessions 1000+• HA A-A (Active to Active)• Firewall Policies: 245In this performance-based context, can you give me the best suggestions for which model I replaced it with?Note: Last year's renewal purchased the FortiCare Premium Package. This is based on the firewall running.

Hello,We are using a FortiGate with explicit proxy. It forwards requests to an upstream proxy.How can I exclude certain URLs so that they are not sent to the upstream proxy, but instead the FortiGate establishes the connection directly?I tried using the URL match list, but the FortiGate still sends the requests to the upstream proxy. We are on version 7.4.11

I have are two Fortigate firewall between model 50G and 50G-WIFI. Also use SD-WAN to created dual internet and its through SD-SLA mark the auto fail-over. In my case has an interesting problem occurred:***also use the same as police & static route  Model 50G-WIFI:SD-WAN member: VPN_01, VPN_02 => enableWan, A=>enable that are two VPN tunnel & internet service also work as well.===============================Model 50G:SD-WAN member:VPN_01, VPN_02 =>enableWan, A=>enableVPN with Phase1 =>lost====SD-WAN member:VPN_01, VPN_02 =>enableWan, A=>disableVPN service work as normal====SD-WAN member:VPN_01, VPN_02 =>enableVPN service work as normal, internet service not workingas above case problem, how can to resolve it?  

在 Fortinet 的 SASE 解决方案中，我看到主组件 FortiSASE 拥有自己的控制平台，也称为 FortiSASE，可用于管理 FortiGate、SD-WAN 等设备。我还注意到 FortiManager 也包含在 Fortinet SASE 解决方案中。FortiManager 是否也提供自己的控制台界面？它和 FortiSASE 控制台有什么区别？FortiSASE是否提供对设备本身（例如交换机）的配置控制？据我所知，FortiSASE可以配置和管理FortiGate设备。您的客户目前在部署 Fortinet SASE 解决方案时，主要使用 FortiSASE 控制台还是 FortiManager？

I'm unable to activate my trial license with my email address jmujica@outlook.com,  I have an trial license assigned but unable to reuse the license

Hi everyone! We have an existing FG 501E which we'll be decommissioning in a few weeks. We plan on replacing it with FG 100F. In order to lessen the risk and errors, I plan on backing up the old firewall config and just restore it to a newly factory-reset FG100F.However, our existing 501E has Global, and 2 vdoms(including root). On the 100F, we plan on NOT using a vdom. Just put everything in global configuration. Question:1. Is it possible to backup and restore this properly?2. Is it possible to not use a VDOM and just put everything in global config?

This is the most frustrating experience that I ever had with a 30day eval license registration. My customer wants to evaluate Fortigate against another solution and I can't create a PoC without using 1vCPU and a 2GB ram?I have registered the license and the instance still requires a licenseDescriptionPartnerProduct ModelFortiGate VM TrialRegistration Date2026-04-03Lost more than 2 hours as the documentation is not clear (does not even have a link on what is the portal to create a user on how to get a 30 day license - I actually need it for a week)

How can I avoid issues with security profiles after the license expires?Web filter, IPS, DNS filter Is there a way for them to work offline without updating? 

I'm using clearpass accounting with rsso to a fortigate 200g using aruba wifi. also have intrium updates enabled on clearpass.Athentications are working and RSSO is picked up correctly on the firewall however when roaming between access points I am prompted for captive portal. The connection doesnt drop and im using fast roaming on the wifi which would say its a firewall issue any settings to tweak on the firewall so it doesnt distrupt roaming.?

I installed FortiClient EPP/APT Edition for testing purposes, but I am now unable to uninstall it from my system.When I try to uninstall it from Control Panel → Programs and Features, the uninstaller only shows a Repair option and does not provide an option to uninstall.I also attempted to resolve this by downloading the FortiClient removal tool from the Fortinet Support Portal. However, I am facing issues there as well.When I navigate to:Support → Firmware Download → Product SelectionI encounter the following message:"Sorry, you don't have any product covered by a Fortinet support contract."Additionally, the product selection button is not working, so I am unable to select any firmware image or proceed further.For context:I downloaded FortiClient EPP/APT Edition(windows) online for testingI do not have a serial number or active support contractThe uninstall option is not available (only repair is shown)FortiClient #Windows #Uninstall #EPP/APT

Hello,I would like to understand the behavior of the network when FortiNAC becomes unreachable or stops (service down).In this scenario:What happens to the access ports on the switches?Do they fall back to the default VLAN automatically?Are already authenticated endpoints still allowed to communicate, or are they impacted?Also:What are the best practices or recommendations to handle this situation?Is there a way to ensure continuity (fail-open vs fail-close behavior)?Any feedback or real-world experience would be appreciated.Thank you.

Hello everyone,I am working on implementing FortiClient 7.2.4 trial.I did import a web filter profile from our FortiGate and enabled ssl deep inspection. Now it does not seem that FortiClient EMS imports the SSL inspection certificate which is used from FortiGate (and trusted by the clients). I did not find any setting to let me control the certificate used for ssl deep inspection in FortiClient EMS... Anyone knowing where to set the certificate used for deep inspection in FortiClient EMS? Edit: Ok seems like forcing to install the FortiClient extension gets rid of invalid ssl certificate warnings. Is this the way to go then?But I still get certificate warnings when starting Outlook... So how do I set this up correctly?

Hi, we want to create a site-to-site VPN via Fortimanager, but don't want to enable VPN community. Is the following procedure correct? our Fortimanager os version is 7.4.x. 1. login to Fortimanager Device Group2. choose the firewall 3. click VPN  and choose interface mode4. create phase 1 5. create phase 26. install the config via installation wizardCan anyone please help to advise? Thanks in advance!  

I am testing the IPSEC tunnel with the ztna client (unfortunately there is no forticlient vpn under linux that supports IPSEC), and had trouble with https sites, so I want to add some info for other victims.Somehow my ethernet interface picked a MTU of 1280 instead of the 1500 default for ethernet. This caused that the MTU for the sites behind the VPN was 1170, so I could do a telnet to check that the port was open but couldn't open any site. Forcing the MTU on the ethernet to 1500 fixed the issue and now I can browse all the sites without issue.

Just curious, would it be too much to ask that we be given materials that we can actually highlight and make notes on when studying for the NSE Exams? I have a PDF for the self-paced NS4, but I can't modify this document with personal notes or annotate sections that I need to call out to myself.

Details:Could you kindly explain fml cloud working with an on-prem exchange server?

Working on a FortiManager–FortiGate integration scenario and observed an interesting behavior — looking for insights from the community.I configured the following directly on FortiGate:Firewall policiesAddress objects & groupsStatic routesPrefix listsRoute mapsEverything works perfectly on the firewall.However, when I perform “Import Configuration” into FortiManager:Policies, objects, and static routes are imported correctlyPrefix list and route map names appear, but their entries/content are missingOn the other hand, when I perform a “Retrieve Configuration”, I can see the full configuration including prefix list and route map entries.So the questions:Why does FortiManager import process not fully bring in prefix list / route map configurations?Is this expected behavior (device-level vs policy-level separation), or a limitation/bug?What is the recommended production approach to manage routing objects like prefix lists via FortiManager?Would appreciate insights from anyone who has

Hello There,1- I have been facing an issue with IPsec and need your opinions plz.i have sdwan zone with 5 wan links for internet, site-to-site is configured binding wan1 and works fine, once i confure ipsec-remote vpn on wan1 it works fine too but site-to-site goes down after some time and does not come up unless i completely delete the remote vpn.2- I decided to setup remote vpn on another wan link to avoid any possible conflict having at wan1, but remote vpn does not work at all at WAN2 or WAN3, even though the sdwan rule also created for port 500 4500 via wan2-wan3.

Dear all, I was reading fortigate article related to active-passive mode for primary unite selection criteria. 1. Monitored interfaces - unite with fewest failed monitored interface.2. uptime - unite with highest HA uptime becomes primary3. priority - highest4. serial no - highest If override is disabled.Now the question is that - based on the highest as attached snapshot device will become primary if cluster uptime is higher. but  if cluster uptime is less than 300 seconds will not become primary.   Thanks in adavnced. 

Our ISP recentlly upgraded our internet speeds to 4GB, Is it possible to use a 10gb tranciver in one of the open ports and use that as my WAN port? So I get better speeds (I know i wont get better speeds from desktops etc but I do have 4GB to 4GB site to site vpn tunnels that I do some backups over so it would help speed and time. Thanks in advance.

Hi all,I'm trying to get RADIUS accounting packets from a Windows Server NPS (RADIUS) to be forwarded to a Fortinet FSSO Collector, but I'm stuck.Here's my setup:NPS is authenticating 802.1X Wi-Fi logins using PEAP/EAP-MSCHAPv2.Accounting forwarding is enabled in the Connection Request Policy (CRP) – the option “Forward accounting requests to this remote RADIUS server group” is checked.The Remote RADIUS Server Group points to the FSSO Collector (IP: 10.81.0.36, port: 1813, shared secret OK).In the FSSO collector itself, RADIUS accounting is enabled, listens on 1813, and matches the shared secret.Wireshark confirms that UDP packets on port 1813 are never sent.Every time a user authenticates, NPS logs this in Event Viewer with:pgsqlKopírovaťUpraviťLogging Results: Accounting information was written to the local log file.What I’ve tried so far:Recreated the CRP from scratch with minimal conditions (NAS port type only).Made sure CRP is at the top of