Why limit to Authentication-based routing,can' t fortinet have Address-based and Device Identity routing on the policy tab itself rahter than putting it on the policy route tab would be very nice to have when your using/have multiple gateways
Add some information on subject of mail alert
Subject is always " Message meets Alert condition" for any kind of alert : ips, ipsec tunnel down, authentication failed
It would be great if subject can contain alert type
2 FGT 100D + FTK200
3 FGT 60E
some FAP 210B/221C/223C/321C/421E
RE: Features that you would like to seeÂ (in reply to emnoc)Â
I agree on diff, the lack of a configuration diff on appliance is really bad. Fortinet approach has been to use the fortimanager, but that' s not a easy to sale devicve. I guess for now you have to dump the config and do it old fashion way
This can be done directly from the FortiGate on many models. On the main dashboard on the GUI, click on " Revisions" on the " System Configuration" line in the " System Information" widget. You can do a highlighted diff of historical versions of your configuration, and restore it.
What would be a great tools wizzard for building vpn between fortigate and some other devices or another fortigate. Juniper has start their own and I' m really surprised that wiith all of the VPN problems person encountered, that fortinet has made a simple vpnwizzard builder as a onboard wizzard or a website tool.
There is a simple VPN wizard available in FortiOS 5.0 and 4.3. Several types of tunnels can be created, including iOS. In the next release, this feature will be significantly better.
Are there any particular VPN configurations that you' d like to see supported in a wizard?
The system revison tool, is not very usefull nor automated by any means.
On the VPN wizard, a wizard should be allowed for crafting all types of VPNs and not just remote-access. Fortinet could also build a tool for lan2lan vpns to include
fortigate2fortigate and fortigate2" <non-fortigate+common firewalls >"
I' m really surprised, that nobody has came close to doing this outside of Juniper
IMHO, 90% of the fortigate VPN configuraton problems could vanish, if a simple vpn automation tool was to be crafted.
Even cisco vpn wizard is slightly better than fortinet imho to some degree , and they had it out much longer than fortigate but it too lack vpn confgurations to a non-cisco-device.
I really think somebody should build something that works off this guy example, but make it device selectable.
VPNs are not that hard to build, but most fwadmin dont do enough of them and lack WTF. Nor do they know every other firewall type out in the market and that other remote fwadmin is probably in the same boat ( doesn' t do enough of them on a regular basis, nor does he/she WTF,etc.....)
So a tool that covers fortigate to ciscoASA, ciscoIOSrouter,checkpoint,juniper,etc..... would be very beneficial.
Better CLI features like Juniper has. For example a compare and rollback feature. AND the ability for better filtering with grep, include and greping grep outputs again.
Maybe also to possibility to push a complete configuration entry within one vewer lines like " show configuration display set" from JunOS.
and a small local CA server - maybe limited to 10 users. At the moment we have to set up an external one even for really small users. I know, that' s a ressource consuming feature but hey, users do not have to use it if they don' t need / like it.
Multiple assignement for a single FortiToken to an admin account and a normal user account at the same time. Because the admin user is also a normal user. At the moment, the user have to carry two token.
OpenVPN flavoured SSL-VPN support.
Replacing VPN clients on road-warrior laptops is a long and tedious process so support for OpenVPN would allow earlier retirement of those old *BSD and *nix boxes out there.
Allow console settings per user or similar, currently a single system setting.
Specifically, allow various settings of output standard | more.
So FortiManager logs in and has console output standard and some human logs in (me, perhaps) and has console output more.
FSSO should be more compatible with non-windows system in Active Directory.
We have few linux that are in Active Directory. User logon is well detected by FSSO (poll method). But the status become " not verified" after few minutes. Linux doesn' t have registry accessible by 139 and 445 ports . I know keep alive (workstation verify interval) checking can be stopped (->0), but it is a good feature to avoid ghost sessions. And the ' Dead entry timeout interval' is brutal if the verification is not done.
So, it would be good to have a way to do differently this verification. Like a ssh request or a script to launch ( example : who |grep <connected user>)...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.