Hi all,I have a FortiGate 501E unit connected to an external switch by a
LAG. This aggregated link is supposed to carry multiple VLANs. My idea
is this: rather than defining VLAN interfaces directly upon the LAG
interface, I'm thinking to define a "s...
Good day, We've implemented FSSO in our network, with purpose to allow
traffic to network resources only from stations joined to our Windows
domain. However, as I see, if a user authenticates to any domain
resources (for instance, SMB service on a do...
I have an HA cluster of two FortiGates (v6.0.9) managed by a
FortiManager (v6.0.8). The FortiGates run in a cloud, so I must use
unicast heartbeat on HA interfaces to sync them. I use port10 on both
FortiGates as such interface: [style="background-co...
Good day, Regular firewall policies has an option to send TCP RST
packets to clients, when policy's action is set to "deny":
[style="background-color: #888888;"]# set send-deny-packet
enable[/style] But as far as I see, if the policy's destination is...
Hi all, Does anybody know if FortiGate can be configured to do
this?[ul]When a client opens a TCP connection to predefined port
(typically, HTTPS), respond to the TCP handshake on behalf of a
server.Accept the "Client Hello" TLS message from the clie...
Thank you, @hbac,I've read this.But the article, as I understand, talks
about really switching frames between member interfaces joined to the
same "software switch". My case is a bit different: an IP packet arrives
to the FortiGate over the LAG with ...
Response from Fortinet support: either disable validation on
FortiManager
("[link=https://docs2.fortinet.com/document/fortimanager/6.0.8/cli-reference/784395/dm]set
verify-install disable[/link]") or upgrade to FortiManager v6.2.3, which
doesn't have...
Thanks, yes, the policy is definitely getting hit (by the way,
regardless of the match-vip parameter - probably because VIP is
explicitly defined as destination). I opened a ticket at
https://support.fortinet.com, meanwhile they're silent. :)
Honestly, I didn't know about this option - thanks, tanr! But now I've
set it, and it still didn't help - the clients' SYN packets are just
discarded:config firewall policy edit 0 set name "World_to_webserver"
set srcintf "Internet_zone" set dstintf ...
