Description SSL VPN connections can be blocked by the FortiGate for
different reasons depending on config and restrictions. This article
describes recommendations on how to resolve cases where the SSL VPN
connection is being attempted but gets blocke...
Description Explicit proxy authentication is common deployment where
users have to authenticate to a proxy server before in order to access
the allowed resources. The configuration is sophisticated and can be
difficult to troubleshoot depending on th...
Description This article describes how to resolve a scenario where ESP
packets are being allowed by the ISP to the FortiGate, but there is no
response back to the remote gateway that initiated this traffic,
especially in the case of a VPN client cont...
Description This article describes how it is not uncommon to find that
the DNS page on FortiOS shows latency in large values or even an
unreachable status while users experience no issues with browsing
websites or using Hostnames or FQDN (Fully Quali...
Description This article describes how to fix two errors that may occur
in SSL VPN configurations with SAML authentication for MFA on Azure
Entra. If there is a mismatch or missing username or group claims on
Azure, the FortiGate will reject the conn...
Hi, Thank you for reaching out. I would not recommend WAF as a security
profile for protecting web servers and web application although it has
been historically used for this function in the past. The reason being
IPS and application control UTMs are...
yes you should plan a down time. I assume that the phase2 selectors on
the ipsec tunnel at least on the direction from branch to main office is
setup with default address - 0.0.0.0/0 - since it is for an RIA
deployment. This is important because if y...
Hi, You can try setting the ipsec interface with a static ip yes I
assumed you already had that enabled to use it for performance SLA. The
option "snat-route-change" should still be available under the global
config menu. you can try to locate it wit...
Hello tedew, Thank you for reaching out. If the route as you mentioned
was already removed from routing table using the option to
"update-static-route" in performance SLA I assume, this issue should not
happen however I am suspecting the firewall sti...
Hi Omsharma03, Thank you for reaching out. I have seen a case in the
past where computer trying to authenticate through captive portal for
wireless would try to troute the authentication request using wired
adapter. The condition was both wired and w...