Support Forum

Just curious, would it be too much to ask that we be given materials that we can actually highlight and make notes on when studying for the NSE Exams? I have a PDF for the self-paced NS4, but I can't modify this document with personal notes or annotate sections that I need to call out to myself.

Details:Could you kindly explain fml cloud working with an on-prem exchange server?

Working on a FortiManager–FortiGate integration scenario and observed an interesting behavior — looking for insights from the community.I configured the following directly on FortiGate:Firewall policiesAddress objects & groupsStatic routesPrefix listsRoute mapsEverything works perfectly on the firewall.However, when I perform “Import Configuration” into FortiManager:Policies, objects, and static routes are imported correctlyPrefix list and route map names appear, but their entries/content are missingOn the other hand, when I perform a “Retrieve Configuration”, I can see the full configuration including prefix list and route map entries.So the questions:Why does FortiManager import process not fully bring in prefix list / route map configurations?Is this expected behavior (device-level vs policy-level separation), or a limitation/bug?What is the recommended production approach to manage routing objects like prefix lists via FortiManager?Would appreciate insights from anyone who has

Hello There,1- I have been facing an issue with IPsec and need your opinions plz.i have sdwan zone with 5 wan links for internet, site-to-site is configured binding wan1 and works fine, once i confure ipsec-remote vpn on wan1 it works fine too but site-to-site goes down after some time and does not come up unless i completely delete the remote vpn.2- I decided to setup remote vpn on another wan link to avoid any possible conflict having at wan1, but remote vpn does not work at all at WAN2 or WAN3, even though the sdwan rule also created for port 500 4500 via wan2-wan3.

Dear all, I was reading fortigate article related to active-passive mode for primary unite selection criteria. 1. Monitored interfaces - unite with fewest failed monitored interface.2. uptime - unite with highest HA uptime becomes primary3. priority - highest4. serial no - highest If override is disabled.Now the question is that - based on the highest as attached snapshot device will become primary if cluster uptime is higher. but  if cluster uptime is less than 300 seconds will not become primary.   Thanks in adavnced. 

Our ISP recentlly upgraded our internet speeds to 4GB, Is it possible to use a 10gb tranciver in one of the open ports and use that as my WAN port? So I get better speeds (I know i wont get better speeds from desktops etc but I do have 4GB to 4GB site to site vpn tunnels that I do some backups over so it would help speed and time. Thanks in advance.

Hi all,I'm trying to get RADIUS accounting packets from a Windows Server NPS (RADIUS) to be forwarded to a Fortinet FSSO Collector, but I'm stuck.Here's my setup:NPS is authenticating 802.1X Wi-Fi logins using PEAP/EAP-MSCHAPv2.Accounting forwarding is enabled in the Connection Request Policy (CRP) – the option “Forward accounting requests to this remote RADIUS server group” is checked.The Remote RADIUS Server Group points to the FSSO Collector (IP: 10.81.0.36, port: 1813, shared secret OK).In the FSSO collector itself, RADIUS accounting is enabled, listens on 1813, and matches the shared secret.Wireshark confirms that UDP packets on port 1813 are never sent.Every time a user authenticates, NPS logs this in Event Viewer with:pgsqlKopírovaťUpraviťLogging Results: Accounting information was written to the local log file.What I’ve tried so far:Recreated the CRP from scratch with minimal conditions (NAS port type only).Made sure CRP is at the top of

I need to update the firmware on it because the credentials are lost. but now I cant get a new download, or register the product past end of life. Is there anything I can do?*I was able to make an informed decision. Thank you everyone

Hi, I use the FortiClient Single Sign-On Mobility Agent and I am facing an issue: FAC registers all user IP addresses.Let’s consider two users: one connected remotely through VPN and one connected from the corporate LAN. The home network IP address of the remote user overlaps with the IP address of the user in the corporate LAN. As a result, one of the users is removed from FortiGate/FAC with the following error:Internally logoff and removing FortiClient item 11024-HR.xxx.xxx:192.168.12.26 [xxx.xxx/jshith] (all IPs conflicting).I believe that during the initial FAC/EMS configuration I chose the option to register all IP addresses, but now I cannot find this setting. I am not sure whether I am simply overlooking it or whether it disappeared after an update.How should this be handled? Regards, Lukasz

Hi everyone,I’ve deployed an IPsec dial-up VPN to allow users to connect via FortiClient.The VPN uses IKEv2 and a RADIUS server, and all users belong to the emergency group.After configuring FortiClient with all the correct phase 1 and phase 2 parameters, I consistently get the following error when trying to connect:"WRONG CREDENTIAL EAP FAILED CONNECTING TO 8.x.x.x"Below I’ve included the phase 1 and 2 configuration, along with the log captured from the FortiGate.The log clearly shows that the user is correctly identified, as well as their group membership.However, shortly before the error, this message appears:ike V=Vpn:1:Emergency:1804 EAP 14757603831873 result FNBAM_DENIED ike V=Vpn:1:Emergency: EAP failed for user "jjonh"Phase1 configuration:edit "Emergency"set type dynamicset interface "WAN"set ike-version 2set peertype anyset net-device disableset mode-cfg enableset ipv4-dns-server1 8.8.4.4set proposal aes256-sha256set dpd on-idleset dhgrp 14set eap enableset eap-identity s

Hi everyone, I've got the guest flow working — guests get isolated, hit the captive portal, self-register, and get moved to the guest VLAN. SNMP, MAC learning, and L2 traps are all configured and working on the switch side.Now I'm trying to set up the employee flow and I'm not sure what the best practice is. For employees I want them to authenticate against Active Directory and then get placed into the employee VLAN automatically. My question:For AD-authenticated employees, is the captive portal still the recommended approach or should I be looking at dot1x instead? (It is a wired network, no wireless).Any advice or example configs would be greatly appreciated. Thanks!

Hello everyone,  I have a question regarding guest self-registration accounts in FortiNAC. Guest accounts are configured with a validity period of 24 hours. Once the account expires, I’m trying to locate the history or record of that account. The only place where I can still see some trace of them is under the Account Requests section. Could anyone please clarify where expired guest accounts are stored, or how we can access their history after expiration? Is there a specific log, report, or database section that retains this information? BR,

Hi All, I am quite new to FortiNAC and would appreciate some guidance. A recent vulnerability assessment identified TLS-related issues on a FortiNAC 500 running version 8.7. Based on our checks, the device is already EOL/EOS. However, immediate replacement is not currently possible, so we are exploring mitigation options. The vulnerability recommendation is to disable TLS 1.0 and TLS 1.1 and allow only TLS 1.2 or higher. May I know whether this EOL FortiNAC system supports disabling TLS 1.0/1.1 through configuration without upgrading the firmware? Any advice or recommended workaround would be greatly appreciated. Thank you very much.

Hi all,I’m looking for advice or similar experience with a layered VPN design on FortiGate.Topology  The core transport network is built on FortiGate devices using VXLAN over IPsec across the Internet (site-to-site).Inside the VXLAN, there is a single L2 broadcast domain, and over this network I establish a second (service) IPsec tunnel between two FortiGate devices (for a specific customer).Behind the service (customer) FortiGates:On one side: a serverOn the other side: a client PC Problem:Throughput between the client PC and the server is very low (~9 Mbps).Testing is done using iperf.What I verifiedIf I connect the customer FortiGates directly (without VXLAN) or over the Internet with a single IPsec tunnel, I get around 500 Mbps.This seems to rule out:FortiGate performance limitsPC/server performanceInternet bandwidth issuesHypothesisI suspect the issue is related to MTU / MSS / fragmentation due to multiple encapsulation layers:inner IPsecVXLANouter IPsecHowever, I’m not sure:

Currently for contractor user the fortinac will use captive portal using entra ID before gain access to the network.If I only use SSO for the authentication then same contractor user can use any workstation to access the network. Some one here know can we limit the device for single user, example using mac address restriction?I try register manually the devices and assign the device to group named 'Contractor' then if this device plugged to the switch then fortinac open the capive portal and showing the device was registered, the captive portal not bring to login page.

Hello, I'm trying to do a lab with a trial version of fortianalizer (7.4.10) and fortigate (7.4.11) and I can't do the connection. When setting the IP of the analizer on the logging settings on the fortigate I get "no connection".They are on the same network, already enable the fgfm on the interface. Can ping both analizer from fortigate and vice versa.  The config that I have on Fortigate:config log fortianalyzer setting    set status enable    set server "192.168.0.102"    set certificate-verification disable    set ssl-min-proto-version TLSv1end The config that I have on Analizer:config system global    set adom-status enable    set enc-algorithm low    set global-ssl-protocol tlsv1.0    set hostname "FAZ-01"    set oftp-ssl-protocol tlsv1.0    set ssl-low-encryption enable    set timezone 91    set usg enableend Log from analizer

So, I can export a profile, encrypt it, and successfully create it. However, when I import said profile, none of the connections work, and just timeout when trying to connect. No idea what is happening. The restore of the config is successful, but for whatever reason, the config that just worked when it was exported does not work correctly when it is imported. Ideas?

Hello everybody,we are using the FortiClient EMS Server Appliance and want to use our private step-ca as the ACME server for the EMS certificate, including automatic renewal.We do not want to expose EMS to the internet just to use Let’s Encrypt, and we would also like to avoid manual certificate replacement.Has anyone done this with the EMS Appliance, and if yes, how did you get EMS to trust the private ACME CA? Thanks in advance

Hello all,has anyone noticed any issue while loading the dashboard of the EU portal for the forticloud ? i'm able to connect but the dashboard fails to load (portal.eu.fortigate.forticloud.com)

Due to a recent vulnerabiliy reported on 7.4.9 i need to upgrade to 7.4.11 but in the fortigate GUI unders system firmwares i can only see upgrae to 7.4.10 available. However on the support portal 7.4.11 image is available for download ?  Does this mean 7.4.11 not recommended for upgrade ? why it is not showing in upgrade path 

Has anyone seen this on a 6300F or 6500F? Looking for a cleaner fix than rebooting the FPC.Specifically wondering:1. Is this a known bug in 7.6.x with a fix in a later build?2. Is there any way to reclaim kernel slab memory without rebooting the FPC?We had an incident last night where FPC1 on our 6300F started dropping packets after about 16 days of uptime. The other 5 FPCs were completely fine. Rebooted FPC1 and everything came back to normal immediately. The log message we saw:fw_forward_handler line=788 msg="The system is in extreme-low-memory state. Drop the packet."When we dug into it with diag hardware sysinfo memory we found the problem — SUnreclaim on FPC1 had grown to 22GB while every other FPC was sitting at around 600MB. MemFree on FPC1 was down to 2%. At incident:FPC1 - SUnreclaim: 22,029,000 kB :warning: - MemFree: 692,292 kB (2%)FPC2 - SUnreclaim: 626,632 kB - MemFree: 21,902,960 kB (66%)FPC3 - SUnreclaim: 621,352 kB - MemFree: 21,918,292 kB (66%)FPC4 - SUnrecla

I currently have 4 FortiAP's managed by a Fg-40f the 40F is only job in life is to manage those AP's and the switches, I had it laying around its cheaper to keep paying for forticare for it than run cloud managed.I am currently in bridge mode, 3 of the AP's are local and one is remote connected to a FG-60F on the remote side and managed by the local FG40 via an IPSec tunnel. I have the ability to run UTP on the AP's but didn't buy the AP UTP license since that is currently handled by a pair of edge Fortigates.I have noticed that some stats just don't show up and I am guessing its because I am in bridge mode. Are there any benefits from running one or the other I should be considering? I ran bridge because each AP has two home runs to two different fortiswitches for hittless poe failover and I assume data failover. So in my mind tunnel mode brought those AP's into a single point of failure, however I just ordered a pair of 70Fs to replace my edge firewalls and could in theory run an HA

Hello everyone,I’m encountering a strange behavior with my FortiNAC architecture (v7.4.2) running in Layer 3 mode. Everything was working perfectly for months, but suddenly, the VLAN assignment logic seems broken.My Setup:FortiNAC Version: 7.4.2Mode: L3 with Registration VLAN activated.DHCP: Pool declared directly on FortiNAC for the Guest/Registration scope.Switch Configuration: Standard Radius config applied to the ports.Port Group Membership: Initially, only "Role-Based Access" was checked.Troubleshooting attempted: To mitigate this, I recently had to check "Forced Registration" in the Port Group Membership settings. However, I never needed this before; it used to work perfectly with only "Role-Based Access" enabled.Question: Why did the default behavior change? Has anyone seen a bug in 7.4.2 where unknown hosts bypass the Registration VLAN and get Production access by default?

We have about 100 users using FortiClient (a mix of 7.2.11 and 7.2.12) on Windows 11 laptops (mostly 25H2 but some 24H2) to connect an IPSec tunnel to a Fortinet VM hosted in Azure (UK South). Some users (such as myself) never get connection issues, but some continually report that the VPN drops multiple times during the day. We've done the basic troubleshooting (restart Windows, sit close to the wireless access point, try a cable, speed tests, etc) but we're still unsure what causes this and how we can resolve it.We opened a ticket with Fortinet to send logs and get to the bottom of this but thought I'd ask the community to see if others have found ways to maybe make it more stable and drop less frequently.Your thoughts are very welcome :)

Hello.I've deployed FSSO CA agents on 2 domain controllers (same domain) to enable HA from FGT.I have not deployed the DC agents. Configuration of both CAs is identical, both monitoring the same 2 DCs using WMI polling. The problem is that 'show logon users' on both CAs shows different information .... some logons are shows in both CAs, some only on either one. Refreshing/clearing the logon cache doesn't help. Any ideas what could be wrong?