Celebrating our Community: Thank You for an Incredible Month
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Recently active
I have difficult to add switch Alcatel omniswitch 6860 can some one help.When I configure credential snmp is OK but CLI I can't connect it. When I test in fortinac console cli all is ok but in gui no.
Hi, I want to install FortiAuthenticator v8.x in Microsoft Windows Server 2025.Is this supported? Because in KB only Windows Server 2022 is mentioned.Thank you.
When you run a script on the web GUI/interface:If it fails, it provides absolutely no diagnostic debugging output to the user about why/where? I implore Fortinet, I beg you, please provide diagnostic output about the line number and/or command line that fails. Otherwise, we’re just guessing by taking shots in the dark; not a professional troubleshooting technique. Pasting the same script into the CLI is not the same execution environment as uploading it via the GUI. So one cannot reliably assume that warnings and errors will manifest the same. BONUS: It creates a historical event object (pass or fail run record), so why not save/cache the script code itself, and allow the user to “re-run” it ?
Hi, I can see from KB that the minimum VM specs for FortiAuthenticator installation is CPU 8, Storage 1TB, Memory 16GB.However, we only have 200 users. Can we reduce the specs to 500GB storage and 8GB memory? Anyone has done this? and is there any impact?
Hi,I have device FG100E which will end of live on this August, but the firmware still old v6.0.2. From upgrade path i did not see currently firmware i used, it’s only show v6.0.18.The question, it’s safe upgrade direct to v.6.0.18 and then follow the upgrade path? Thank you and appreciate
Dears when the hosts in registration or quarantine vlan persistent agent can’t communicate to fortinac because can’t resolve srv record and retrieve info about fortinac ip address but it retrieves portal and i think it is default in fortinacand when i search in this file i can’t find resolution for srv record except the portal.cat /var/named/chroot/etc/domain.zone.reg cat /var/named/chroot/etc/domain.zone.remso how can resolve this problem as when i search i find that for isolation VLANs it should there is record hosted locally in the fortinac
Hi everyone,We are currentrly switching SSL-VPN to IPsec on our good old FG-200e (v7.4.12)The problem I am facing is that we have a few VPN > SD-WAN rules with NAT enabled, so that the traffic goes trough the tunnel and arrives destinations (IP adresses of AWS servers and some other FQDN's) with our main link IP address.It works fine on SSL-VPN, but I can't make it work with IPsecAny ideas why this happens? Really need to sort this out ASAPThank you
Hi people ,i have in office Fortigate with ip public 87.xx.xx.xx, policy created for internet,for ipsec between other fortigate with ip public 193.xx.xx.xx. I created in windows vpn conection l2tp other ipsec for conect my pc office to mikrotik .Issue is when i try to conect vpn windows(client) to mikrotik(server l2tp/ipsec) this conection is down ,but when i try conect pc office to hotspot conection is successfully vpn l2tp/ipsec to mikrotik.Can anybody help with this issue,why my pc canont conect l2tp/ipsec to mikrotik?
Hello Community, We have a Fortigate 201G with firmware version of v7.2.x we have done some risk assessments on the fortigate and most of the risks identified shows all versions 7.2.x are affected by specified vulnerability, and need move to another version now we wanted to move to the version 7.6.x before we do that I wanted to confirm if our hardware can fully support it. and there wont be any issues or problems we might face later after the update.
Sporadically our Fortianalyzer (7.4.9) will stop sending logs to our main syslog log collector (Is still collecting from other systems). The “Log Insert Lag Time” will get up to 18 or so hours and keep climbing, when it should be like 20-30 seconds. When the analyzer is rebooted, logs start to flow and the time slowly starts to normal, and everything is ok. I’ve been trying to get that value via a command line, or SNMP to feed our PRTG system to monitor when it happens before it gets out of control. But, it seems to be allusive. Maybe I’m missing something? Perhaps there is another tell sign that I can look at? Or is it a feature request?Thanks!
Hi Team,We are planning to deploy FortiAuthenticator On-Premises for a client.Client Requirement: When users register their endpoint with FortiClient EMS (ZTNA), MFA should be enforced. The client wants users to have either SMS OTP or Google Authenticator (TOTP) as the second factor, with both options available for redundancy. Could you please confirm the following: Is this requirement supported with FortiAuthenticator? What are the prerequisites for implementing this setup? For SMS OTP, does FortiAuthenticator require a third-party SMS gateway/provider? If yes, which integrations are supported or recommended? Are there any licensing or configuration considerations we should be aware of before deployment? Any implementation guidance or best practices would be appreciated.Thanks!
Hi,I now create additional dialup tunnels on second wan for failover, but we use ftm to get notifications during login on mobile smartphones, the config looks like:FGT (ftm-push) # show full-configuration config system ftm-push set proxy enable set interface '' set server "PUBLIC_IP_OF_WAN1" set server-port 4433 set server-cert "Fortinet_Factory" set status enableendhow to configure ftm to have it working on WAN1 and WAN2 interfaces, because If I’m trying to configure it on both wan ports I get an error: FGT (ftm-push) # set interface "port24" "port23"command parse error before 'port23'Command fail. Return code -61
We have FortiManager 7.6.7 and two FortiGates running FortiOS 7.4.11.Under Security Profiles > SSL/SSH Inspection, we have an object named “SSL-EXCEPT” with set cert-probe-failure allow, and this profile is used in several firewall policies.In FortiManager, the same object also has allow configured. However, whenever we make any change in FortiManager, it applies unset cert-probe-failure, which is preventing us from managing changes on these FortiGates through FortiManager.How can we fix this?
Hello,I am using FortiOS 7.6.x. According to the documentation, I can block traffic based on both category and URL.Specifically, my URL filters use the *FQDN wildcard block. It works well with a few exceptions such as: *worldguesser.io or *crossyroadgame.io or *crossy-road.io. I don’t understand why these are getting through the firewall. Am I missing something?Category-based filtering is very broad and blocks two interesting domains:Group: General Interest - Personal https://boinc.berkeley.edu/General Interest - Business https://worldcommunitygrid.org/Is there a way to exclude certain domains from a category?Thank you
Hello , can we do user based ztna web proxy with using local user of Fortigate local database with mac binding , mean ztna web proxy is opened with only same user with same mAc of machine , otherwise rejected
Hi everyone,I'm running into a frustrating issue with the Device Identification (IoT/OT detection) feature on our FortiGate. Multiple Windows laptops on our network are being incorrectly identified as Samsung Galaxy Android 5.0 devices.Because of this, FortiGate is flagging a randomly list of potential IoT/OT vulnerabilities associated with Android Lollipop, which is obviously a huge false positive (especially since no one is bringing Android 5.0 devices to the network in 2026!). Here are some key details about our environment: The affected clients are purely Windows machines. There are no Android emulators installed on these laptops. This is happening across several different devices, which rules out a simple stale DHCP IP cache/re-use issue. Checking the CLI (diagnose user device), the MAC OUI belongs to Cloud Network Technology (standard for laptop Wi-Fi adapters), not Samsung. Has anyone else encountered this specific false positive recently? Any insights on which common Wind
API-TEST
Hello, I apologize in advance if this sounds like a stupid question. I passed the NSE4 Certification Exam on June 18, 2024. I very recently heard that my certification would run out of validity if it’s 2 years old. I have to take the NSE5 Certification Exam, as I was unable to take it before, but I am unsure if my NSE4 Certification is still valid. Please let me know and thanks for your help!
My Fortinac was integrated to Entra ID for 802.1x authentication, now i want to know can we use entra id to login to the web admin of fortinac?
Verify policy match (Policy Match): diagnose debug flow filter addr <IP_ORIGEM>diagnose debug flow filter addr <IP_DESTINO>diagnose debug flow show console enablediagnose debug enable diagnose debug flow trace start 10 Validate NAT (SNAT/DNAT):show firewall policy <ID> Verify Routing:get router info routing-table all
Validate Status of two SD-WAN Linksdiagnose sys sdwan health-check
Hi Fortinet Community,Could you please provide some guidance on the following scenario?I currently have a single IPsec VPN tunnel configured, and the accessible networks include Servers 1, 2, 3, 4, 5, and 6.I have different users who need access to specific servers only:UserA should be able to access Servers 1, 2, 3, and 4. UserB should be able to access Servers 5 and 6 only.Should I create separate firewall policies for each user while using the same IPsec tunnel, or should I create additional IPsec tunnels?I have noticed that when I create another IPsec tunnel, one of the tunnels sometimes goes down. What could be the possible causes of this issue, and what troubleshooting steps should I take?Any advice or best practices would be greatly appreciated.Thank you!
Hey guys,I'm failrly new to terraform and I was curious if fortigate managed app deployment within Azure vWAN is a good option/approach? Keeping in mind that rest of the infrastructure (vWAN, HUB/s, VNETs, NSGs, subnets..etc) is deployed using terraform, would there be any harm if NVAs are deployed manually?ps NVA deployment would be one time setup, no multiple environments (dev, prod, test) nor requirements for NVAs to be deployed more oftenEvery comment is appreciated
Hello.First, I apologize for my imperfect English. Recently, I started learning about networking using FortiGate.When running FortiOS v7.6.6, I configured IKEv2/IPsec VPN on a FortiGate 60F.At that time, the VPN connection worked correctly.However, after upgrading the FortiGate to FortiOS v7.6.7, the VPN connection stopped working.No VPN configuration changes were made between the upgrade and the failure.Based on the FortiGate logs and packet captures taken with Wireshark,I suspect that during the certificate authentication process,the intermediate certificate that should be sent from the server to the client is no longer being transmitted. After rolling back to FortiOS v7.6.6, the VPN connection started working again.I also confirmed that the VPN connection works on FortiOS v7.6.7when the R12 intermediate certificate is manually imported into Windows.This seems to indicate that the client is not receiving the intermediate certificate from the FortiGate during authentication.The follow
I am currently trying to see the limits of Terraform in deploying configuration in Fortimanager and Fortigates. My goal is to beable to implement a webfilter on policies and install those policies and the package (FortiManager) related on the required target (Fortigate).Everything was working correctly until I added the webfilter profile. Terraform execution is working correctly. But in Fortimanager the taskfor installing the package results every time in "Error".I tried to push it using manually using the gui with the web filter profile created by terraform. There is no erro. I also tried to implement this partin Ansible and the problem is exactly the same.The module for implementing the firewall policies :resource "fortimanager_packages_firewall_policy" "tunnelInternet" { for_each = var.InternetPolicies scopetype = "adom" adom = local.get_adom_from_pkg_internet[each.key] pkg = each.value.pkg name = each.value.name policyid = each.value.policy_id srcintf = ea
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.