Deploying SSL VPNs Using Multiple Realms

fernandezm_FTNT · 07-06-2020

Use case: Customer has two ISP connections at both sites. Two VPNs configured. ISP1 to ISP1 and ISP2 to ISP2. Customer wanted to lower the time it takes for the VPN to drop and the other VPN come up. One of the options I discussed with the customer w...

fernandezm_FTNT · 07-06-2020

First and foremost, a special shout out to a friend that helped with this config. Juan Perez, thank you brother. Use Case: Customer wants a single SSID in his environment. He wants Teachers on a VLAN once they connect on a managed workstation (AD Mem...

fernandezm_FTNT · 05-28-2020

I am a BIG supporter of Central NAT. I believe it is in-line with the present day firewall platforms. Even if you use Policy NAT (the original way on FortiOS) or Central NAT you normally want bidirectional NAT'ng, that is SNAT and DNAT. DNAT / VIP Th...

fernandezm_FTNT · 05-28-2020

I am currently running FortiOS 6.4 on this FortiGate. The use case is to have an out-of-band interface that points to a separate routing table or in this case, a VRF which stands for Virtual Routing and Forwarding. In my scenario I will create one in...

fernandezm_FTNT · 05-26-2020

Today, a customer asked me about selectively assigning FortiTokens to AD users using FortiAuthenticator. In this use case, I am going to use an AD group Token-Users to auto-assign FortiTokens to and another group, Non-Tokens which will be used to aut...

fernandezm_FTNT · 11-02-2019

Here is the screenshot from my post, You can choose the IP address list as a source or destination and choose accept or deny

fernandezm_FTNT · 11-02-2019

Yes absolutely.  Allow or Block 

fernandezm_FTNT · 11-01-2019

There are a few ways to skin this cat. Depending on the version of FortiOS you are running. In 6.2 we introduced "Dynamic Address Lists" you can set up a web-server internally as an example and add the IP addresses you want to block. The Fortigate wi...

fernandezm_FTNT · 11-01-2019

Under 'Security Profiles', 'Intrusion Prevention' ensure you have the correct IPS Profile selected (the one in the policy that is firing). Go to 'IPS Signatures' and choose 'Add Signature' Filter by name and choose "Snort.TCP.SACK.Option.DoS" and on ...

fernandezm_FTNT · 11-01-2019

This COULD be a trick question in a sense. Some Vulnerability scans are done in a stealthy manner, while some are not. The best practice is to have IPS enabled on your policies and ensure that your notification on the FAZ are set correctly. One thing...

User Statistics

User Activity

Decreasing Fail-Over Time for Multi-Homed VPNs using DPD

Dynamic VLANs with Single SSID using FortiAP and FortiAuthenticator

Bi-directional DNAT on FortiGate Firewalls

Separate VRF for Out-of-Band Management in FortiOS

Multi-Factor Authentication with FortiToken, FortiAuthenticator and FortiGate

Re: Only Allow SSH from certain country

Re: Only Allow SSH from certain country

Re: Only Allow SSH from certain country

Re: Snort.TCP.SACK.Option.DoS IPS Whitelisting

Re: Detect vulnerability scans

Deploying SSL VPNs Using Multiple Realms

Multi-Factor Authentication with FortiToken, Forti...

Binding to LDAP with Minimum Access

Dynamic VLANs with Single SSID using FortiAP and F...

IPSec Remote Access VPN Naming Limitations on Fort...

Re: Only Allow SSH from certain country

Fortinet Training Institute

KCS