Skip to main content
fsyong
fsyong
New Member
September 11, 2008
Question

very bad experience with Fortigate

  • September 11, 2008
  • 8 replies
  • 10466 views
Just joined a company, the vpn is fortigate 60, os 2.5. after changed some settings can not access the web interface anymore. execute factoryrest, no web access to the interface. reset many times, occasionally use static DHCP setting, the VPN can get ip address for dhcp server and access by web!! after updated the os to MR7. A client complained about the SSL VPN client to Germany. he just used our internet to VPN to Germany. Failed. Can somebody post some pictures out tell how to configure the VPN. Another user complain his voip mobile phone software ( similar to skype) always can not online or maybe just 10mins. Really bad service. No more Fortigate.

    8 replies

    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 12, 2008
    You the kind of guy that buys a car takes the engine apart and rebuild it and if it' s not working blames the car manufacturer?
    fsyong
    fsyongAuthor
    New Member
    September 12, 2008
    What? We purchased service contract with Fortigate since 2004. The tech replied emails after 1-2days, called them, they said you need go website get a ticket, then the tech will response!! Remember: Reset to default should let you access to 192.168.1.99 anytime. Remember: Since we bought the item since 2004, kind of old but we paid money for the warranty!!! Do you have such experience like whole company users have internet problem and vendor no response?
    A
    Anonymous_User
    Contributor
    October 15, 2008
    it seems i have been met such problems
    fsyong
    fsyongAuthor
    New Member
    September 12, 2008
    Thanks for your reply. I can not remember what kind of setting I made, maybe just add new account, definetly no firewall rules applied. when you use the console to execute a factory reset, you know what I mean, Factory reset means nothing applied, you should connect to the 192.168.99. nothing to do with my configurations, just factory default!! dont suspect my experince in setting IP MASK,cabling. But infact you can not ping from console to outside, you can not ping from outside to the interface. you also can switch to dhcp mode ,and get ip address from dhcp server but same message: network unreachable.... Everybody told me use TFTP, network unreachable how can you connect to TFTP server. Strange things : I used mode dhcp, the fortigate can get the ip address from my dhcp server, but still can not ping in/out. 1 time I can get in the interface, when I move back to server room, power on/off, no access again. when I tried to access interface, no any rules applied,no any special setting except ip address, netmask. Again, I tried reset to default more than 30 times. suddenly I can access the interface, then I updated the firmware to MR7. now some user compain about the SSL-VPN, one user complain about his voip logon/off every 20 mins, I applied a ticket but 3 days no tech responsed. We paid $800 for 2 year contract include hardware,firmware,antivirus...... Honestly Fortinet service really sucks. I am thinking about switching to different company when 2 weeks later old contracts expire.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 12, 2008
    You should be aware that Fortinet Maintenance & Support is meant for cases where a unit doesn' t do what the manual says, it' s not a backup consultant to tell you ' how to configure' a device. What do you expect here? The forum is to get pointer from peers, not to bitch about Fortinet. What made you decide to upgrade a unit with 2.5 (which is over 4 years old) to go to MR7, why not MR6? That' s when you could have posted a message here. There' s a lot of functionally of the FG unit that quite differs from 2.5 to 3.0 mr7. Sounds like you have to tweak sip-helper and/or session ttl. Point is again the analogy with a car don' t fiddle with the cam timing if you don' t know the specifics of the engine and have the proper experience/training. A FG is a proper security device and not some kind of toy
    fsyong
    fsyongAuthor
    New Member
    September 12, 2008
    I totally understand this forum belongs to fortinet, nobody will like dumping xxx in their own backyard. Let' s calm down a little bit. I got a ticket from fortinet last sunday, I have explained my situation to the technical support, the only solution they gave to me was update firmware. please, please read my ticket. No way to update the firmware, till the midnight 1day later when I used remote console and found that I can access the interface. I backed to my office, the only things I can/want to do was updating firmware, that is my only help. at that time I have no time to tell which version, so I thought the highest will be the best. I am afraid to upgrade or downgrade the fortigate firmware, I do believe there have some problems inside the devices, but unfortunately I dont want whole office can not remote access or connect to the internet. So I posted,and want some experts can post some easy1-2-3 pictures let me know. cause My problem is not the ssl vpn setting inside my fortigate, is a user from germany who has his own SSL VPN client software back to germany. My setting is very simple, only wan1-internal web profile. another user is using a mobile phone software like skype, sorry I can not read german. but both users have no problem when I gave then connection bypass the fortigate. Honestly Eric, if you are expert, you should know what the execute to factoryreset means. please dont blame me for complaining the car vendor, as an end user, reset means we trust the vendor, and should connect to 192.168.1.99. I am here for help, but also I want other users know the service I have, hope fortinet can realize this and improve their service not just blaming end user ruined their reputation. have a nice weekend
    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 13, 2008
    couple of words of advise: factoryreset is resetting a FG60 internally to clean config, internal is 192.168.1.99 if possible always do firmware upgrades, factoryreset with console cable connected ssl-vpn is clientless to a FG unit, except for some new features in MR7. MR6p3 is most stable with ssl-vpn functinality. It' s not guaranteed but I' ve seen downgrades from Mr7 to Mr6 without loss of config. I would advise to backup Mr7, do a downgrade, then again do a backup. take the backup config and remove not readable parts between, config and end. Then restore config and work from there
    fsyong
    fsyongAuthor
    New Member
    September 13, 2008
    Thanks for the advise. Few questions which version is better? MR5 P6 or MR6P3 Fortinet website recommend MR5 P6 for fortigate 60B. I suspected the interface problem was caused by the flash memory, as I mentioned the virus lists are junk characters( os2.5), unreadable. At that time, console is my only way to access the VPN. I downgraded to MR5 SP6, the setting still there, thanks. I will try to figure out the ssl-vpn problem. cause the user complained many days already.
    UkWizard
    UkWizard
    New Member
    September 15, 2008
    Wow, this is the first ' hostile' thread i have seen on the forums and version 2.5? thats very old and unsupported. If you lost access to the GUI originally whilst adding a user, then you probably set the " trusted hosts" section of all the users? If set incorrectly, this would stop you getting to the GUI altogether. So this might have been your original problem. Thought i would let you know, just in case you set it accidentally again.
    fsyong
    fsyongAuthor
    New Member
    September 16, 2008
    Honestly, the device can not be accessed by web after reboot. The ex-tech has the same problem once before, after that he never wants to touch it. I backuped the working configuration before the change. After reset, as I mentioned I can access the web control occasionally, when I changed something like just the ip address even restored backup, after reboot.... no access. After updated the firmware, I have no problem to access the device any more. My concern is the device is defected? Need RMA? I dont want the whole office stop working some day. Since updated the firmware, everybody ignored this issure I had before, just doubt the configurations I created for the new issues like sip or ssl vpn. Till now nobody can explain this to me. So bad. One user using a softphone software from T-system, the software using RTP(30000-3100) SIP 5070 Another user has no admin rights in his computer, I can not check the setting of the SSL-VPN. I have add the port 10443 in custom service, doesnt work. Right now no way to go back, I explained already at that time I just want to make the VPN working ,so everybody can connect to the internet,update firmare was my only chance. So I updated to MR7. some guys recommended MR6, I downgraded. Right now I am using MR6P3. kind new to Fortigate. I have problem to upload images. So I just post out the texts. Status ID Source Destination Schedule Service Profile Action internal(fortigate) -> wan1(AT&T T1) (2) 1 all all always ANY ACCEPT 7 all all always Germany voip ssl-vpn ACCEPT internal(fortigate) -> wan2 (1) 6 all all always ANY unfiltered ACCEPT wan1(AT&T T1) -> internal(fortigate) (2) all all always ANY web ACCEPT all all always Germany voip ssl-vpn ACCEPT custom service group Germany voip ssl-vpn Members: SIP, SSL-VPN to bonn, voip for Erico, Https, Sip-Msnmessenger custom service SSL-VPN to Bonn TCP/1-65535:10443 voip for ERICO TCP/1-65535:30000-31000 UDP/1-65535:5070 Everything was working before the web access problem. Thanks.
    A
    Anonymous_User
    Contributor
    October 12, 2008
    This is a common problem man,, i had also the same situation..this is because the firmware corrupted, so even if u reset to factory default, there is no use..so u need to upload the firmware again using the console cable with the help of any tftp.
    A
    Anonymous_User
    Contributor
    October 13, 2008
    I had a very similar problem. A Fortigate 60 with V2.5 firmware, that worked for years without problems. Then one day, it stopped working and wouldn' t respond on any of the ports. I contacted fortinet and the first thing they said was ' please upgrade the firmware' At first, I thought ' Hold on a minute, this unit is malfunctioning, you should be helping me, not fobbing me off' . But I did what they said, and the unit is now on the latest firmware, which was quite a long process of gradual upgrades, erasing and restoring of the config several times, but now the unit is working perfectly, even though no specific problem was highlighted. Obviously I can' t explain what caused the problem, in the first place, but the important thing is that it' s working properly now! Andy
    FortiRack_Eric
    FortiRack_Eric
    New Member
    October 13, 2008
    Firmware version is about 5 years old.... that' s about the stone age in human years.
    Terms & ConditionsAccessibility statement