Re: Redistribute iBGP routes to OSPF in FortiGate

Toshi_Esumi · 07-24-2024

A basic question: Would Websocket app (TCP 443) traffic be filtered by a policy with a Web Filter profile? Or do we need to match it with Application Control in a separate policy before or after the web filter policy?Thanks, Toshi

Toshi_Esumi · 07-21-2024

I'm working on migrating my home OpenSUSE machine I'm using for freeradius server to authenticate admin and VPN users on my FG40F(7.2.8) from Leap 15.3 to 15.5(on a new machine). Obviously 15.5's repo has a newer version of freeradius-server image.Th...

Toshi_Esumi · 05-07-2024

As all the other users at FortiCloud must have gotten, I received an announcement email per email account for 2FA auth enforcement starting June the 7th.My question is if it would apply to this Forum login account. I've kept using my old account emai...

Toshi_Esumi · 02-29-2024

When we configure this SSL VPN MAC address filtering, what system limit would dictate the max number of MAC addresses we can configure on an FGT (no vdom/muti-vdom)?https://community.fortinet.com/t5/FortiGate/Technical-Tip-MAC-address-check-on-SSL-VP...

Toshi_Esumi · 02-15-2024

Please let me make sure the order a FGT examine policies.If there is a specific policy from a specific interface like "lan" to another specific interface like "wan1" with "any" source and "any" destination, it would be examined before another policy ...

Toshi_Esumi · 07-26-2024

It's NOT expired. So ignoring expired certs wouldn't change the outcome. If it has an option to ignore invalid certs, that might work.Toshi

Toshi_Esumi · 07-25-2024

I think the problem with https://pub.kb.fortinet.com/rss/firmware.xml is the site is using a self-signed certificate. While https://support.fortinet.com/rss/firmware.xml site is DigiCert signed cert.When I tried setting up an account at Thunderbird w...

Toshi_Esumi · 07-25-2024

This is not specific to FGTs because this is a common BGP/AS design issue. Even if you replace your FGT with a Cisco router, Juniper SRX, or Nokia router, you still need to use "as-override" option. I think it's in an RFC, which I haven't confirmed t...

Toshi_Esumi · 07-25-2024

If changing AS at each VPC is not an option, try "as-override" option on your FGT as in below:https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-allowas-in-enable-or-as-override-when-local-AS/ta-p/197448Toshi

Toshi_Esumi · 07-24-2024

Just ignore whatever I said above. I wish I could delete my comments but it does't let me. In ADVPN context, the neighbor-group seems to be used specifically. My comments seem to be off the mark completely.Toshi

User Statistics

User Activity

Websocket app traffic with Web Filter

RADIUS attribute: Message-Authenticator

FortiCloud login 2FA enforcement

num of MAC address limit in SSL VPN filtering

Policy order: any int to any int or specific interface pair

Re: Firmware RSS feeds not working

Re: Firmware RSS feeds not working

Re: BGP with AWS transit gateway

Re: BGP with AWS transit gateway

Re: BGP neighbor group not working, but neighbor works

Re: Redistribute iBGP routes to OSPF in FortiGate

Re: Layer3 Fortiswitch

Re: FortiGate stripping BGP TCP option 19

Re: Fortimanager best practice

Re: Firewall Policy - Zones

Re: BGP with AWS transit gateway

Re: Fortigate Static Route for WAN Traffic

Re: Static public IP / 2nd subnet from ISP / great...

Re: Two IPSec tunnels with a single WAN connection

Re: How to Grant CLI Access to VDOM Administrator ...

Super User