Support Forum

I currently have 4 FortiAP's managed by a Fg-40f the 40F is only job in life is to manage those AP's and the switches, I had it laying around its cheaper to keep paying for forticare for it than run cloud managed.I am currently in bridge mode, 3 of the AP's are local and one is remote connected to a FG-60F on the remote side and managed by the local FG40 via an IPSec tunnel. I have the ability to run UTP on the AP's but didn't buy the AP UTP license since that is currently handled by a pair of edge Fortigates.I have noticed that some stats just don't show up and I am guessing its because I am in bridge mode. Are there any benefits from running one or the other I should be considering? I ran bridge because each AP has two home runs to two different fortiswitches for hittless poe failover and I assume data failover. So in my mind tunnel mode brought those AP's into a single point of failure, however I just ordered a pair of 70Fs to replace my edge firewalls and could in theory run an HA

Hello everyone,I’m encountering a strange behavior with my FortiNAC architecture (v7.4.2) running in Layer 3 mode. Everything was working perfectly for months, but suddenly, the VLAN assignment logic seems broken.My Setup:FortiNAC Version: 7.4.2Mode: L3 with Registration VLAN activated.DHCP: Pool declared directly on FortiNAC for the Guest/Registration scope.Switch Configuration: Standard Radius config applied to the ports.Port Group Membership: Initially, only "Role-Based Access" was checked.Troubleshooting attempted: To mitigate this, I recently had to check "Forced Registration" in the Port Group Membership settings. However, I never needed this before; it used to work perfectly with only "Role-Based Access" enabled.Question: Why did the default behavior change? Has anyone seen a bug in 7.4.2 where unknown hosts bypass the Registration VLAN and get Production access by default?

We have about 100 users using FortiClient (a mix of 7.2.11 and 7.2.12) on Windows 11 laptops (mostly 25H2 but some 24H2) to connect an IPSec tunnel to a Fortinet VM hosted in Azure (UK South). Some users (such as myself) never get connection issues, but some continually report that the VPN drops multiple times during the day. We've done the basic troubleshooting (restart Windows, sit close to the wireless access point, try a cable, speed tests, etc) but we're still unsure what causes this and how we can resolve it.We opened a ticket with Fortinet to send logs and get to the bottom of this but thought I'd ask the community to see if others have found ways to maybe make it more stable and drop less frequently.Your thoughts are very welcome :)

Hello.I've deployed FSSO CA agents on 2 domain controllers (same domain) to enable HA from FGT.I have not deployed the DC agents. Configuration of both CAs is identical, both monitoring the same 2 DCs using WMI polling. The problem is that 'show logon users' on both CAs shows different information .... some logons are shows in both CAs, some only on either one. Refreshing/clearing the logon cache doesn't help. Any ideas what could be wrong?

Hello, After upgrading our FortiAuthenticator (FAC) to version 6.6.7, we noticed that importing remote users from Active Directory via LDAP is taking significantly longer than before. Specifically, the group membership refresh is very slow. We now have to wait at least one hour before newly added users appear in the corresponding LDAP group.

I configure user SSO for FortiNac and after i enter the Entra credential using captive portal then i got this error. Anyone know how to fix this?

Hi,I'm configuring my first Fortinac.I have a problem whit switching vlan. When I plug on switch an pc  Fortinac receive snpm trap but the switch to isolation vlan is done after 40/50 seconds about.So pc get IP of production and after switching VLAN it don't get a IP of isolation subnet until I do ipconfig /renew.here what I see on switch:Aug 28 15:06:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to upAug 28 15:06:59: %SYS-5-CONFIG_I: Configured from console by admin on vty1... Could you help me? Thanks in advance

Hello guys, I am currently facing an issue with user authentication when connecting to dialup IPSec IKEv2 VPN using SAML authentication through FortiAuthenticator.Ending with this error:Generated some random hash or something instead of user name and reason is SAML auth resp is not detected. Here is part my configuration:config system global     set auth-ike-saml-port 1001     set remoteauthtimeout 120 config user saml    edit "saml_FAC"    set cert "*.secret-2026"    set entity-id "http://vpn.secret.cz:1001/remote/saml/metadata/"    set single-sign-on-url "https://vpn.secret.cz:1001/remote/saml/login/"    set single-logout-url "https://vpn.secret.cz:1001/remote/saml/logout/"    set idp-entity-id "http://fac.secret.cz:4433/saml-idp/ipsecvpn/metadata/"    set idp-single-sign-on-url "https://fac.secret.cz:4433/saml-idp/ipsecvpn/login/"    set idp-single-logout-url

Hello, I would like to know if someone know how can deal with this kind of information leakage. After doing some tests, i didn't see any log using this kind of app "googlesyncfs.exe". Therefore, i cannot create any policy in FortiDLP to avoid this kind of information leakage. It seems like that app ofuscates this file transfer making it really hard to monitor the activity. I've seen that there's one post about drag and drop block uploads by default using FortiDLP, but i doesn't work in this case. I really appreciate any kind of tips you can give me. Best regards.

Hi Everybody,As we (hopefully) all know, SSLVPN tunnel mode will be discontinued in FortiOS 7.6.3. This is definitely a step in the right direction and I don't challenge that decision at all.Now, there's a lot of guides to move to DialUp IPSec and ZTNA. The thing is however, it all is so cumbersome compared to SSLVPN. For instance:- With IPSec, you need to deploy either a PSK (which is not very wise) or certificates, but if you have some external user you'd need to give him a certificate and it's already hard enough if you just have a user/password combo.- With IPSec you can do SAML, sure, but you still need a PSK or a certificate.- ZTNA is nice and all, but you can't have a tunnel which is essential for many of the use cases that revolve around managing devices that are attached to the network (think of: building automation, things like that)...and the list goes on. There's just no easy solution from Forti which I am aware of.So, right now, we're evaluating another approach, basically

Hello everyone, I am new to Fortinet products and have two questions regarding password history thresholds and account lockout settings. I have already reviewed the available online documentation and community forums but was unable to find definitive answers.  Thank you. How can I check the current account lockout settings from the command line? The documentation I found only explains how to configure (set) these values, but not how to display the existing configuration.config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end 2. What is the expected outcome if the Password history threshold is set to 3, while Allow password reuse → Specify is set to 8? According to the administrator guide, the reuse value must be lower than the password history threshold. In this case, which setting would take precedence, and how would the system enforce the policy?   

It was updated to this version and the eye icon that allowed you to see the password in plain text no longer appears in the wireless controller where the SSIDs are located. Any Help?

With FortiAuthenticator we have correctly installed everything for MFA with Windows. Login works properly, but the offline token is not working.We have enabled everything according to the guide, and everything appears to be configured correctly, but in the log there is a 403 Forbidden error on the REST API callI am attaching the log.Could that be the reason why the offline token is not available? What could the issue be?Thanks to anyone who can help me. 2026-02-11 10:47:05,149 [8900| 28|DEBUG] RestAPI: GetOfflineTokens queued asynchronously2026-02-11 10:47:05,165 [6592|14024|INFO ] :  Credential::FetchEmergencyToken: Sending EmergencyTokenRequest to service2026-02-11 10:47:05,165 [8900| 17|DEBUG] FAC_Agent.Service.Impl: Processing EmergencyTokenRequest for domain: xx, username: xx, UPN: xx2026-02-11 10:47:05,180 [8900| 36|ERROR] TwoFactorAuthenticator: WriteOfflineTokens: cannot proceed because of bad server response: 403...2026-02-11 10:47:05,227 [8900| 36|DEBUG] RestAPI: Ca

Hello, I opened a case with support asking about a 7.4.4 version of Forticlientvpn only for windows , they suggested we post here.  My questions are:1) Is there a version of forticlient vpn only 7.4.4 coming out for windows?2) If no can you verify if forticlient vpn only 7.4.3 for windows is not susceptible to https://fortiguard.fortinet.com/psirt/FG-IR-25-685 Thanks!

 Hi all,I would like to clarify a best practice regarding the management of local users on FortiGate when the device is managed by FortiManager.Scenario:FortiManager 7.6.xFortiGate clusters running FortiOS 7.4.xDevices are fully managed by FortiManager (policy packages and device settings)Multiple VDOMs in useQuestion:Local users are configured under:config user localThese users are used for:SSL VPN authenticationExplicit proxy authenticationFrom my understanding:Local users are defined directly on the FortiGateFortiManager does not natively manage them as part of policy packagesWhat is the recommended approach in production environments?Specifically:Is it considered best practice to manage local users directly on the FortiGate even when the device is managed by FortiManager?Is there any supported/reliable way to manage local users from FortiManager without risking inconsistencies or purge during install?How do you handle scenarios where local users are actively used (e.g. proxy o

We have about 60 FortiGates connected to a FortiManager.  The FortiManager is only used for config backups.  I want to setup firmware updates to install automatically once they are released. If we did not have a FortiManager I could simply enable automatic firmware updates.  Because it is connected to a FortiManager those are disabled.  I reached out to FortiNet Support and worked with a tech and we found no way to enable them from the FortiGate side.  Blocking FortiManager does not allow for the local setting to be enabled. In the FortiManager I am not seeing a way to setup automatic firmware updates, or enable the automatic firmware updates to be enabled on the FortiGate. I see I can schedule FortiGates to update to 7.4.11 on Sunday of this week, but it looks like I have to manually adjust that every time a new firmware comes out.  We don't want all the FortiGates to update on the same day, so we will have several of these to spread out th

I've just installed  FortiClient VPN  the .deb package from here https://www.fortinet.com/support/product-downloads .installed with `sudo dpkg -i ...` Setupd the configuration ( as I have on my windows pc and on my android ) when I try to connect I get the following in the journal:    iul 29 14:23:43 station1 kernel: iked[283119]: segfault at 28 ip 000000000045195d sp 00007ffe2a7e6900 error 4 in iked[400000+891000] iul 29 14:23:43 station1 kernel: Code: 4c 89 e5 48 89 44 24 38 48 8d 84 24 88 00 00 00 45 89 d4 45 89 de 48 89 44 24 50 48 8b 45 00 45 89 f5 31 ff 31 db 4a 8b 0c e8 <8b> 51 28 85 d2 74 42 48 8b 71 20 8d 7a ff 31 db 48 8d 46 08 4c 8d iul 29 14:23:43 station1 fctsched[283131]: /opt/forticlient/iked: invalid option -- 'P' iul 29 14:23:43 station1 regolith.desktop[281914]: 14:23:43.573 › VpnHandler UNHANDLED {"isTrusted":true} iul 29 14:23:43 station1 fctsched[283131]: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus iul 29

I am diving into the world of ZTNA and figuring things out still. Ai is suggesting the use of a loopback interface, but I am not really seeing much in regards of any documentation of ZTNA and loopback together. It's suggestion was to create a VIP to my loopback, specifying my loopback in my ZTNA server config, then if I wanted to have the same consistency between my internal and external users, to hairpin ZTNA so those internal users hit my public IP. Thoughts?

Hi all, I tried installing forticlient VPN onto my new computer - Surface Laptop 7. However, it shows the following error. Anyone able to support to rectify this issue? 

LS, We have on multiple locations a distribution layer consisting of S424F switches with the S148F or E or S124F or E versions in the access layer. We have seen on one location the following error message in the analzyer. On one location we had a complete network black out.On one location we are having currently cisco switch in de access layer and are installing the S148F units and connecting them to the distribution layer. Only connecting causes intermitting networking issues. To mitigate this we have disconnected the new switches from the distribution layer and the migration project is currently paused. We are running 7.4.8 or 7.4.9 FortiOS on all our switches. Looking around, are we on our own, I did find this one.https://www.reddit.com/r/fortinet/comments/1rv2i1g/high_cpu_spikes_on_fortiswitch_148ffpoe_when/So the good news is we are not alone.  Looking into the Analyzer, Logview, Event, Switch Controller (filter=msg~"CPU_SENSOR")datetimevdtypesub

 Hi everyone,I am experiencing a very strange display behavior on my FortiLink topology after adding a new device.Context and Versions:FortiGate: FGT-200F running v7.2.13 build 1762 (Mature)FortiSwitches: 8x FSW-148F running v7.6.6 build 1137Topology managed via FortiLink.Issue Description: Up until yesterday, I had 7 switches deployed and everything was working perfectly. The physical inter-switch links (ISL) appeared correctly in the "FortiSwitch Ports" section as "dedicated to connect to peer FortiSwitch".Then, I added an 8th switch ("03" on image 1) using our standard procedure, daisy-chaining it behind another FortiLink-managed switch ("02"). Right after connecting it, ALL our switches lost the "dedicated to connect to peer FortiSwitch" status on their uplinks/downlinks.Now, the physical ports connecting the switches together appear as shown in screenshot #2:They are tagged as simple "Edge Ports".Their Native VLAN is _default.Forti_Link (_default) and Allowed VLAN is quaranti

I'm trying to install the FortiClient package on Fedora Workstation 43, which doesn't seem to be properly tested for this distro. I am using the official guide mentioned here. The reason for posting the issue here in the community is to gain the attention of FortiClient developers so they can resolve the issue promptly.   ~ sudo dnf install forticlientUpdating and loading repositories:Repositories loaded.Package Arch Version Repository SizeInstalling:forticlient x86_64 7.4.6.1867-1.el7 repo.fortinet.com 611.7 MiBTransaction Summary:Installing: 1 packageTotal size of inbound packages is 186 MiB. Need to download 186 MiB.After this operation, 612 MiB extra will be used (install 612 MiB, remove 0 B).Is this ok [y/N]: y[1/1] forticlient-0:7.4.6.1867-1.el7.x86_64 100% | 4.0 MiB/s | 186.5 MiB | 00m47s-------------------------------------------------------------------------------------------------------------------------------------------------[1/1] Total 100% | 4.0 MiB/s | 186

Hello everyone,we would like to distribute an IPSec tunnel configuration to other users, including external contractors, using the export/import of an XML file.However, I’ve noticed that when a user imports such an XML file, it overwrites all previously configured tunnels.Is there any way to create an XML file that allows users to import only one or several tunnels in a simple and user-friendly way, without replacing all existing ones?Thank you very much in advance for your help!

Hi all,Has anyone experienced an issue where, after a FortiManager upgrade, routing entries were unexpectedly removed from a routing template?In our case, four static routes (including the default route) disappeared from the routing template itself — not directly from the FortiGate configuration, but from the template in FortiManager. As a result, when templates were pushed, the routes were also removed from the managed devices, causing connectivity issues.Additionally:The routes were no longer present in the template database after the upgradeRe-adding them led to conflicts during install (likely due to ordering or object inconsistencies)I’m trying to determine whether this behavior is:A known issue related to template migration during upgradeA change in how routing templates are handledOr a one-off corruption/inconsistencyHas anyone seen similar behavior or has insight into this?Thanks!

 Upon opening Forticlient VPN a bunch of users seem to get this error, the only work around so far was uninstalling and re-installing. However noticing that this problem comes back again after a while. System is Windows 11 25h2 with latest updates. Visual C++ latest redistributables installed.  What other