We used to do extensive app troubleshooting on 7.2 decrypting the
traffic using a trusted ROOT CA installed on the client machine. After
upgrading to 7.4, it no longer works, what we would do is (on
7.2):create a loopback interface, create a decrypte...
In fortiauthenticator the option "Sign SAML requests with a local
certificate" signs our AuthnRequest request as expected, however it does
not sign the LogoutRequest, is this expected behaviour? is there anyway
to make this work? from the standard:It...
Hi, we started getting packet loss through one interface of our 601E,
SSH sessions on the far side of the fortigate are very slow and lagging,
pinging to those ssh hosts results in around 5-20% packet loss, pinging
from either side of the fortigate t...
Hi we have a firewall cluster in another country with an IPSEC VPN back
to our local termination point. We can access the primary firewall using
its LAN interface, but we need to be able to access the secondary
firewall directly aswell (for snmp moni...
Hello, Can someone confirm if we build a new VM in Azure, and choose
BYOL, can we then use a license from our existing FortiFlex licensing?
Or can it only be a traditional license?
Hi there is no loop, pinging devices in the same subnet of that
interface results in loss also. It is a cluster, we have rebooted both
members, both members have the same packet loss. HA is in sync. What I
mean was, traffic traversing the fgt gets pa...
It's a fair question but the other answer is correct, phase 2 selectors
are negotiated and it depends on the other end vendor, Check Point for
example will also pick the largest mask size so Selector 1 and 2 would
never establish in the first place (...
Your mail server must currently have a rule allowing it out to the
Internet on port 25 (among other ports potentially). Just add a schedule
to that rule. ie 05:01-00:59 its enabled.
thanks for the reply, these are actually VM's in Azure, the theory would
still work using a shared vlan, unfortunately they don't trust us
network folk in the backend of Azure :( I suspect using a layer 3
capable switch could make it work aswell, put...
How random are the random macs? if the first few octets remain the same
you can use a wildcard match in the mac address field. Usually first 6
digits are the vendor code that may not change even when randomising.
Sounds like the problem could be solv...
