Good day, We've implemented FSSO in our network, with purpose to allow
traffic to network resources only from stations joined to our Windows
domain. However, as I see, if a user authenticates to any domain
resources (for instance, SMB service on a do...
I have an HA cluster of two FortiGates (v6.0.9) managed by a
FortiManager (v6.0.8). The FortiGates run in a cloud, so I must use
unicast heartbeat on HA interfaces to sync them. I use port10 on both
FortiGates as such interface: [style="background-co...
Good day, Regular firewall policies has an option to send TCP RST
packets to clients, when policy's action is set to "deny":
[style="background-color: #888888;"]# set send-deny-packet
enable[/style] But as far as I see, if the policy's destination is...
Hi all, Does anybody know if FortiGate can be configured to do
this?[ul]When a client opens a TCP connection to predefined port
(typically, HTTPS), respond to the TCP handshake on behalf of a
server.Accept the "Client Hello" TLS message from the clie...
Hi all, I read about certificate inspection feature and I don't quite
understand its logic. According to this KB article, for instance, all it
does is checking CN field of the server-sent certificates to the web
filter policies. Is it all it can do?[...
Response from Fortinet support: either disable validation on
FortiManager
("[link=https://docs2.fortinet.com/document/fortimanager/6.0.8/cli-reference/784395/dm]set
verify-install disable[/link]") or upgrade to FortiManager v6.2.3, which
doesn't have...
Thanks, yes, the policy is definitely getting hit (by the way,
regardless of the match-vip parameter - probably because VIP is
explicitly defined as destination). I opened a ticket at
https://support.fortinet.com, meanwhile they're silent. :)
Honestly, I didn't know about this option - thanks, tanr! But now I've
set it, and it still didn't help - the clients' SYN packets are just
discarded:config firewall policy edit 0 set name "World_to_webserver"
set srcintf "Internet_zone" set dstintf ...
localhost, thanks - the "set untrusted-cert block" command in fact can
prevent a scenario like the one I described above, but only if deep
inspection is enabled.In fact, this command becomes available in CLI
only in conjunction with "set inspect-all ...
