to perform some tests safely on a FortiGate (FortiOS 6.4) doing BGP i
was trying to setup a prefix-list that denies all prefixes and apply
that the BGP neighbour section via set prefix-list-in / set
prefix-list-out. as a prefix-list contains a implic...
I tried this and configured a cluster setup with two serials. The first
config starts but ends up "Waiting All Secondaries to Auto-Link" When i
connect the secondary firewall to the internet to do ZTP nothing
happens. It keeps waiting for something t...
Anyone been looking at this and got it worked out? Azure AD domain
joined machines seem a bit different, you can't join the FortiNAC to it,
it doesnt seem able to read from it. wondering how people dealt with
this.
due to the VPN traffic possibly coming in or going out via one of three
interfaces (due to BGP) i felt i should configure the VPN on another
interface of the FortiGate. only the VPN process doesn't want to start
the VPN now, the debug logs shows: 202...
not many FortiNAC users here yet it seems but going to give it a try. im
working on it in a lab environment with FortiGate + managed / fortlink
FortiSwitch (6.2) and FortiNAC 8.8. anyone experiences with that setup
working fine? im getting odd issues...
>> I don't think "implicit deny" is a correct term to describe
prefix-list's default behavior. yeah, that seems to be the case. i think
i read this somewhere but dont have a source currently, perhaps it is
the mix up with route map. i was looking for...
it is quite difficult to guess what the issue is. it could be many
things. turning off npu-offload is a trouble shooting step often tried,
so you can give that a go for sure. it doesnt feel normal, it shouldn't
happen. but trouble shooting requires f...
thanks Toshi, but isn't there a implicit deny for prefix any at the end
of the prefix-list? when i add some entry (say for 1.2.3.4
255.255.255.255) it will deny everything else, so then the implicit deny
acts right? but without any rules it doesn't f...
thanks Alex. with some Fortinet support tickets it seemed it wasn't
quite working yet with the used version. things should be better in
latest 7.0.x versions. if i encounter this again ill double check it.
