Hiho, there is an old bug in FortiOS and FortiManager that allows you to
set too long Phase1 names. This can cause problems wenn the FGT runs out
of space on creating new dialup instances due to enumeration. This
means: when you create a dial up ipse...
just encountered this: IPSec Dial Up does allow concurrent tunnels. To
make sure it can handle each one it enumerates the tunnels. Good so
far.Though the Gui (and the FOrtimanager gui also) allow you to enter
too long p1 names.If you p1 name is too l...
Hiho, I have an adom which used to bei v6.2 before. As long as it was
6.2 all worked fine even after upgrading the FortiManager to v6.4. Once
I upgraded the adom (and the global adom as it provides objects that are
used in that adom) to v.6.4 I canno...
I have this constellation: FGT100E with a FEX connected to it via
capwap.FGT has authorized the FEX and added a device ofor it.All wans
plus FEX are members of sd-wan. All wans except FEX are part of SD-WAN
health check.I kept FEX out because it shou...
I have the following constellation which behaves quite strange FGT100D
has 4 WANS. Port wan1,wan2,ha1,ha2. Those are members of sd-wan in
following order: wan1 cost 0wan2 cost 0ha1 cost 10ha2 cost 10 the
implicit sd-wan rule for loadbalancing is set ...
if it is a dial up you might have run into the same isse I ran into
today again. I consider this a bug in FortiOS (and FMG). On dial up
tunnel names FortiOS ufortunately does not subtract the space it needs
for the enumeration of the dial up instance...
yes it does. So Tunnel is up completely. Did you try to flow trace the
traffic to see if it matched policies and routing is correct? diag debug
enablediag debug flow filter daddr=diag debug flow filter
saddr=diag debug flow trace start that will
yes exactly - you have to have an account with at least one device
registered that has a valid support (i.e. FortiCare(tm) ) contract bound
to it. Then the download area will be available and you can dl any
Are you sure the tunnel is up competely? In Firmware prior to 6.4 the
IPSec Monitor (and also the ike debug log) do not show Phase2. Since 6.4
it does show phase2 at least in IPSec Monitor.So maybe your Phase1 came
up and the tunnel is marked as up i...
for Webinterface you need a simple SSL Certificate. Afair in windows ca
there is a template named "Webserver certificate" or similar. We use
this here too.for SSL Inspection you need a subordinate ca certificate
there is also a template for that (I'd...