Celebrating our Community: Thank You for an Incredible Month
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Recently active
Hey guys,I'm failrly new to terraform and I was curious if fortigate managed app deployment within Azure vWAN is a good option/approach? Keeping in mind that rest of the infrastructure (vWAN, HUB/s, VNETs, NSGs, subnets..etc) is deployed using terraform, would there be any harm if NVAs are deployed manually?ps NVA deployment would be one time setup, no multiple environments (dev, prod, test) nor requirements for NVAs to be deployed more oftenEvery comment is appreciated
Hello.First, I apologize for my imperfect English. Recently, I started learning about networking using FortiGate.When running FortiOS v7.6.6, I configured IKEv2/IPsec VPN on a FortiGate 60F.At that time, the VPN connection worked correctly.However, after upgrading the FortiGate to FortiOS v7.6.7, the VPN connection stopped working.No VPN configuration changes were made between the upgrade and the failure.Based on the FortiGate logs and packet captures taken with Wireshark,I suspect that during the certificate authentication process,the intermediate certificate that should be sent from the server to the client is no longer being transmitted. After rolling back to FortiOS v7.6.6, the VPN connection started working again.I also confirmed that the VPN connection works on FortiOS v7.6.7when the R12 intermediate certificate is manually imported into Windows.This seems to indicate that the client is not receiving the intermediate certificate from the FortiGate during authentication.The follow
I am currently trying to see the limits of Terraform in deploying configuration in Fortimanager and Fortigates. My goal is to beable to implement a webfilter on policies and install those policies and the package (FortiManager) related on the required target (Fortigate).Everything was working correctly until I added the webfilter profile. Terraform execution is working correctly. But in Fortimanager the taskfor installing the package results every time in "Error".I tried to push it using manually using the gui with the web filter profile created by terraform. There is no erro. I also tried to implement this partin Ansible and the problem is exactly the same.The module for implementing the firewall policies :resource "fortimanager_packages_firewall_policy" "tunnelInternet" { for_each = var.InternetPolicies scopetype = "adom" adom = local.get_adom_from_pkg_internet[each.key] pkg = each.value.pkg name = each.value.name policyid = each.value.policy_id srcintf = ea
If i connect S1 “Fortiswitch” to S2 “Cisco ” Using trunk port and in trunk port I allowed VLAN 20 only on FortiGate i create policy to route between VlAN 10 and VLAN 20 Can PC1 in VLAN 10 ping to PC2 in VLAN 20 and if yes why and if no Why ? 2. Is trunk port control traffic between different Vlan when i allowed VLAN 20 only in trunk or FortiGate will control traffic between different vlan ?
Hi everyone,I'm running a FortiGate VM v7.6.2 in EVE-NG and I'm unable to activate the Evaluation License.EnvironmentFortiGate-VM64-KVM v7.6.2 EVE-NG Community Edition Port1 connected to Cloud1 (management network) VM Resources: 1 CPU 2 GB RAM Serial Number: FGVMEVSS0CLPWM3A What I've configuredPort1 IP: 10.136.208.183/24 Default Gateway: 10.136.208.215 Static Route: 0.0.0.0/0 via 10.136.208.215 DNS resolution appears to be working.Connectivity TestsWorking: execute ping 8.8.8.8Working: execute ping 1.1.1.1Working: execute ping google.comNot Working: execute ping forticare.comNot Working: execute ping forticloud.comLicense IssueWhen I go to:System → FortiGate VM License → Evaluation LicenseI enter my FortiCare account credentials and click OK.The GUI shows:"Requesting FortiCare Trial license, proxy:(null)"but nothing happens afterward and the license remains invalid.Current status: License Status: InvalidVM Resources: 1 CPU/1 allowed, 985 MB RAM/2048 MB allowedQuestionsDoes Forti
hi,we’ll loan a FG 100 F from our DC colo vendor to build a temporary IPSec VPN back to our HQ.this might run for 2-3 months that’s why we’ll only “rent’ the FW.my questions are:1.do i need to register the device to our FortiCloud asset?2.do i need to apply FortiFlex license for HW/OS coverage in order to use “higher” crypto protocols, i.e. AES 256, SHA 256, or do these come free?can i just skip items 1 and 2 since this is just a “loan” and temporary build?
Hi,I have an issue with the evaluation license of my new FortiGate v7.4.1 VM, I am trying to license my new FortiGate and I am using my account credentials to connect to the forticare server but it fails, I did some troubleshooting and I notice that I can't ping the forticare.fortinet.com but instead the service.fortiguard.net and update.fortiguard.net were pinged successfully. can you please assist me with this problem.
Environment:FortiClient VPN 7.4.3.4726 (free/standalone)SSL-VPN to remote gateway: vpn5.go.com.mt:443OS: WindowsVPN Configuration:Type: SSL-VPNPort: 443 (custom)Authentication: Prompt on loginSingle Sign On (SSO): DisabledClient Certificate: NoneIPv4/IPv6 dual-stack: DisabledIssue:When attempting to connect via SSL-VPN, the connection progress bar reaches 48% and then fails with a popup: "SSL connection is down".Credentials have been verified and reset multiple times. MFA is active and functioning correctly. VPN configuration appears correct.Errors observed in Notifications log:Too many bad login attempts. Please try again in a few minutes. (-455) — repeated multiple times throughout the dayToken denied or timeout. (-7105) — appeared earlier in the sessionWhat was already checked/tried:Password confirmed correct and reset multiple timesUsername confirmed correctMFA (token) is active and generating codes normallyVPN gateway and port (443) confirmed correctNo FortiClient EMS in use (stan
Hello Community,When I try to use a user I locally created in a vdom for a Dial-Up IPsec IKE v2 VPN with EAP enabled, I get a timeout from FortiGates internal EAP_PROXY according to the logs.When I switch the vpn to IKE v1 it works fine with the same local user.Same vpn and user configuration works fine, when I am not using any vdom.Has anyone a idea, what needs to be done to be able to use local users with EAP and IKE v2 on a vdom?FortiOS Version is 7.6.6.Output off the ipsec diagnostic is the following:[437] start_remote_auth-Total 1 server(s) to try[1915] handle_req-r=4[1139] __rad_rxtx-fd 11, state 1(Auth)[1140] __rad_rxtx-Stop rad conn timer.[1147] __rad_rxtx-[612] fnbamd_rad_make_access_request-[334] __create_access_request-Compose RADIUS requestfnbamd_dbg_hex_pnt[50] EAP msg from client (16) ...[595] __create_access_request-Created RADIUS Access-Request. Len: 175.[1175] __rad_rxtx-Sent radius req to server 'EAP_PROXY': fd=11, IP=127.0.0.1(127.0.0.1:1812) code=1 id=34 len=175[117
Fortiwifi 30E is about to end of support, So can I continue without license. Is any issue will come.
Hello everyone,we have a customer who would like to generate a monthly report using FortiAnalyzer that includes the following information:WAN gateway availability over the reporting period (monthly uptime/availability) Reachability of defined WAN targets (e.g. public IP addresses or external services) from the FortiGate Information about when WAN failover events occurred, including timestamps A summary of all failover incidents within the reporting periodThe environment does not use SD-WAN. Standard WAN interfaces and failover mechanisms are configured.Is it possible to create such a report using FortiAnalyzer?I don't have any knowledge of SQL, and despite extensive research, I have no idea how to implement this. If necessary, I would recommend Fortinet Professional Services to the customer.Any guidance or best practices would be appreciated.Thank you.KRNiko
FortiOS 70G: 7.6.7FortiClient EMS-pushed IPsec SAMLSAML response successGroup claim correctUDP/4500 reaches 70GIKE proposal contains matching AES256/SHA1 and AES256/SHA256 with DH14FortiGate still returns NO_PROPOSAL_CHOSEN
Hello,Has anyone managed to get a working configuration for FortiClient on Android while using SAML?According to the documentation this should be possible but for some reason I cannot seem to figure out this isnt working, something else that throws me off is the config with X.509 certificates in order to be able to configure the SAML port, while having EAP disabled and SSO enabled.I have a working setup for windows clients working, a separate IPsec tunnel from the one I’ve conducted my tests using a networkid but on the Android phone after the IdP prompt where I enter the credentials it doesnt do anything.FGT: 7.4.11FCT: 7.4.6IdP: Keycloak
HiIs there a list of the available column names?I like to use:config system settings set gui-default-policy-columnsAnd I’m wondering how to include “Security Posture Tag” or “Hits”.Thanks
Hello Everyone,I am looking for some guidance and best practices for an upcoming internal office Wi-Fi project. Our Current Setup:We are using a FortiGate 200E firewall. Currently, all office users connect to the Wi-Fi seamlessly using MAC address binding. Our Goal:Management wants us to move away from MAC binding and authenticate our Wi-Fi users using our Microsoft Entra ID cloud environment instead. Our Main Requirement:The priority is a completely seamless, invisible user experience. We want to avoid a daily Captive Portal (web pop-up) where users have to manually type their Microsoft credentials every morning. We want an invisible 802.1X / WPA2-Enterprise style connection where they turn on the laptop and it connects automatically.My Questions:1. Does the FortiGate 200E natively support a direct 802.1X connection to Microsoft Entra ID without needing an extra RADIUS server in the middle?2. If a RADIUS server (or a tool like Forti Authenticator) is strictly required to achieve seaml
we have tried uninstalling the program and running the FCCleanuninstall program, rebooted after each step, ran installer: still will not ask for user’s credentials not DUO authentication
Hello everyone,I recently got a used FortiGate 40C from a company. I successfully registered and transferred it to my FortiCloud account and everything seemed fine at first.However, today when I tried to power it on, it doesn’t boot properly anymore:The PWR LED stays solid (on).The WAN port LEDs blink when I connect cables.The LAN port LED does not blink at all when cables are connected.When I connect via console cable, I get no output on the terminal (I tested the cable with another fortigate and it works normally).It looks like the device is stuck and not completing the boot process.Has anyone experienced something similar with a FortiGate 40C? Is there any recovery method (like TFTP or firmware reload) that I could try, or does this usually indicate a hardware failure?Any help or guidance would be greatly appreciated.Thanks in advance!
HI EMS adminsBoth EMS and FCT are 7.4.4.On Forticlient, ZTNA Destinations tab, I noticed there is a button to disable/enable ZTNA.I couldn't find a way to remove this button. I thought this should be doable from EMS on the ZTNA profile but didn't find such feature.The other problem is that ZTNA is disabled by default on FCT, and the user has to enable by clicking the button it in order to work. My requirement is to enable it by default and remove the button. This is because many users are not familiar with FCT and we try to make your experience as simple as possible.Any idea if this is doable and on how to do it?
Hello everyone, Recently I’ve encountered issues with FortiOS 7.6.5 and 7.6.6.We are running an on‑premises Exchange Server with access via OWA/ECP.Instead of a regular VIP, we publish this using a Virtual Server (load balancer) on the FortiGate.No ZTNA, FortiProxy, Endpoint Management, just a FortiGate with access to Exchange.The setup is straightforward: HTTPS on port 443, a public record, a wildcard certificate, and a mapping to the real server.With FortiOS 7.6.4 everything works correctly and OWA/ECP loads as expected. However, after upgrading to 7.6.5 or 7.6.6, opening the OWA page immediately results in:504 Gateway Timeout: remote server did not respond to the proxy.No changes have been made to the Exchange Server configuration — only the FortiGate firmware upgrade.Rolling back to 7.6.4 resolves the issue, but we would prefer to stay on the latest version.Has anyone experienced this, or does someone have an idea what might cause it? Best regards,Tim
in FortiGate troubleshooting, you already know diagnose debug flow is the single most useful diagnostic tool on the platform — and also one of the most intimidating the first few times you read its raw output. A live capture throws dozens of lines at you per packet, each tagged with a func= value that tells you exactly which internal processing stage that line belongs to.Enabling Function Names in Debug FlowBefore any of this is useful, you need function names switched on in your capture:diagnose debug flow filter addr <ip-address>diagnose debug flow show function-name enablediagnose debug flow show iprope enablediagnose debug console timestamp enablediagnose debug enablediagnose debug flow trace start 100 A quick clarification worth knowing: function names appear to be produced in the output regardless of whether show function-name enable is set, but Fortinet still recommends explicitly enabling it. The show iprope enable line is separate and important on its own — it reveals th
For FortiEdge Cloud, how do you assign different user accounts to have access to different networks?I believe this used to be accomplished using the Multi Tenancy license and sub accounts, correct?Since this can’t be ordered anymore and is going away, how do you do it using the new organization method?
To automate our Layer7 VIPs which use 1 year Certificates - We are starting to look at 3rd party vendor to assist with Certificate replacement that are quickly marching towards 47 days: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days I have been doing this once a year....but to do it every month manually I cannot/do not want to imagine due to the inordinate time suck to coordinate with all the developers to validate/test...it feels like an endless loop I would rather have no part in. Has anyone successfully used a 3rd party vendor like Digicert or Venafi to set this up with your FortiADC-VM load balancer. It seems like they support LetsEncrypt (Open Source)/ Buypass (European) - but I would prefer to buy a product with full support. This type of functionality seems to be quite sparse and I am having difficulty finding any products compatible with my FortiADC-VM load balancer running 7.6.2. I understa
Hello,I have tried to change the IP-address of a device connected to a FortiAnalyzer.However, it seems not possible to change the IP-address, in the webb-GUI. When reading user guidelines, I figured it should be possible to do this,See attached picture. Any idea on how I can do this? Do really I have to remove the device completely from the analyzer and then add it again? Erik
Hi everyone,I’m reaching out because I’m a bit stuck. I've taken the Fortinet NSE 5 - Secure Wireless LAN 7.4 Administrator exam (FCP_FWF_AD-7.4) three times now and haven’t been able to pass it .To prepare, I’ve gone through all the official study materials, watched the training videos, and done practice exams multiple times. I feel like I understand the concepts, but something isn't clicking on the actual exam.For those who have successfully passed, what did you do differently?I have a few specific questions: Exam Content: The exam has a "Pass/Fail" grading system . Does anyone have insight into how the questions are weighted or what the score distribution looks like? Study Strategy: The official course recommends a background in FortiGate and FortiAuthenticator, as well as basic wireless knowledge . I have a foundation there, but what are the "make or break" topics to focus on? Practice Exams: I've been using practice tests, but I saw a recent post mentioning that many exam ques
We recently upgraded from 7.4.4 to 7.4.5.In the meantime, the workstations have also been replaced with Windows 11 and are now Azure AD (Entra ID) Joined instead of AD joinedDeployment at workplaces is done via Intune / Patch my PCWhen I currently do a search in the Forticlient EMS console for an endpoint, I see the endpoint, but also 3 or 4 other endpoints in the search result. These "extra" endpoints can be seen with every searchI only expect to see the one endpoint I'm looking forIs there a duplicate GUID, Hash, or something like that somewhere?
Already have an account? Login
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.