Questions tagged [fortigate]
firewall appliance made by fortinet - includes capwap wireless controller and fortios software
108
questions
9
votes
4
answers
703
views
What caused a huge amount network traffic via SSH?
I have a virtual server running Ubuntu 18.04 from a well known hosting company. This morning our Fortigate Firewall logs shows that my Win10 computer transferred 3.5TB to and 6.5TB from my virtual ...
7
votes
1
answer
423
views
Best Practice: notify email sender that their reverse lookup is broken
This probably should be a wiki, not entirely sure. Before I begin, the external server that performs scanning is a custom amavis/postfix/fortigate pipeline; it is suggested that any changes work ...
5
votes
7
answers
192k
views
Fortigate VPN client "Unable to logon to the server. Your username or password may not be properly configured for this connection. (-12)"
We're running a Fortigate 100D, and having some trouble with the SSL VPN via FortiClient.
I installed FortiClient on an external Windows 7 PC a few days pack and the SSL VPN connected and worked.
I ...
4
votes
3
answers
40k
views
FortiGate IPsec VPN: Configuring Multiple Phase 2 Connections (Multiple Subnets)
I am trying to make an IPsec connection to a FortiGate router using OpenSwan. The FortiGate sits on two distinct subnets and I need to access both of them. In the FortiGate I have defined one Phase 1 ...
4
votes
1
answer
5k
views
Fortigate VPN Routing issue
I have 200B Fortigate unit with 2 internet WAN connections.
I also have a remote site which I'm connected to via IPSEC VPN through WAN1.
This site has only one GW IP address.
I'd also like to setup a ...
4
votes
3
answers
16k
views
Connecting to a FortiGate VPN from a remote Linux machine via OpenSwan
Here's the setup:
I have a FortiGate unit on a business network, which has a FortiGate VPN set up. Machines on a remote network that can run FortiClient (Windows and Mac machines) have no problem ...
4
votes
1
answer
6k
views
VPN ERROR 500 STATE_MAIN_I1, unable to start phase2
i'm trying to set up a site to site vpn to a fortigate 60c from a CentOS 7 with openswan, the error i get everytime is the following
000 #1: "office":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
...
4
votes
0
answers
2k
views
VLAN ID over DHCP for Management Interface of Fortinet FortiAP
When configuring the FortiAP device it's desirable to configure the VLAN ID for the tagged management network. Accordingly to the manual it's possible to do so by "telnetting" to the FortiAP device ...
3
votes
1
answer
5k
views
Can I have an alert when a IPSEC is down in Fortigate 80C?
We have a fortigate 80c and 60D with an IPSEC VPN .
Is there a way to use the log (or other tool) to send an email alert when the tunnel is down?
I couldn't see anything on the Log & Report tab
3
votes
2
answers
20k
views
MikroTik IPsec client Fortigate 'Received ESP packet with unknown SPI.'
We have a client with 6 sites using IPsec. Every now and again, possibly once a week, sometimes once a month, data just stops flowing from the remote Fortigate VPN server to the local MikroTik IPsec ...
3
votes
2
answers
4k
views
Is it possible to have name-resolution from Fortigate and local DNS server?
Can you advise on moving to a hybrid DNS?
Currently, all our LAN machines receive their IP address from our Fortigate 60D (each machine is either allocated an IP address from the Fortigate DHCP, or ...
3
votes
0
answers
2k
views
Set outgoing interface on Fortigate explicit proxy
I am testing the explicit proxy on a Fortigate 200D firmware 5.4
WAN1 and WAN2 are both members of the wan load balancer interface.
I need to set the proxy to use WAN1 but it it is defaulting to ...
3
votes
2
answers
3k
views
Suddenly cannot reach (ping) remote server on a remote site
We have 2 sites linked together with VPN tunnel (Fortigate 60C devices). On each site I have ESXi server with a couple of VMs. Normally, everything works fine.
Site 1 (S1) subnet is 192.168.254.0/...
2
votes
8
answers
32k
views
Get external public IP from command line in Fortinet
Is there any way to know the public IP address of a Fortinet? There are many services such as icanhazip.com that tell you the current IP.
In Linux, I would just run:
curl http://icanhazip.com
How ...
2
votes
2
answers
16k
views
Network Tap (SPAN port) on FortiGate 100D (FortiOS 4.0MR3)
I'm dealing with a FortiGate 100D for the first time, and am scratching my head as there doesn't seem to be an easy way to mirror ports in the switch; which is really a facility that I presumed it ...
2
votes
2
answers
7k
views
Fortigate 100d 802.3ad bonding / Link aggregation
My network is as follows:
1 x Fortigate 100d with the two WAN ports connected to:
Ethernet ISP with STATIC IP configured manually (20 Mbps symmetric) via ISP A
Ethernet ISP with STATIC IP configured ...
2
votes
2
answers
2k
views
VLAN Traffic changing source when captured at firewall
1) HP Switch config below
2) Fortinet Policy in attached image
Right now, we are a flat network of roughly 320 wireless devices, and about 100 wired devices. We have a FortiGate 300C firewall with a ...
2
votes
1
answer
480
views
Azure VPN Gateway (S2S) disabling Replay Detection
I'm running an Azure VPN Gateway (VpnGw1, gen1, Route-based) and trying to connect a S2S connection to a Fortigate gateway. The connection is losing connectivity every so hours and I'm wondering if I ...
2
votes
3
answers
5k
views
Remotely connect to device with ip from different subnet
I have to figure out some way to remotely connect to D-LINK switch currently working on default address 10.90.90.90 (service guys have replaced broken one, but they have forgotten to do initial config)...
2
votes
1
answer
13k
views
Fortigate IPSEC VPN Issue
Have a challenging question here.
We have a Fortigate 620B which we're trying to use to route some traffic over a VPN tunnel to a customer.
We want the traffic to go out of our interface with one of ...
2
votes
2
answers
9k
views
IPSec VPN Shrew to Fortigate
I'm trying to configure an IPSec VPN on a Fortigate 80C and connect to it using Shrew Soft VPN. I'm stuck with a negotiation failure, even though debugging on the Fortigate unit shows the same values ...
2
votes
1
answer
3k
views
SSL VPN on Fortigate 100D Dual ISP
I have a Fortigate 100D and have been using it with a single internet connection for some time without issue and have also been using SSL VPN to connect into the network. The SSL VPN uses 2 factor ...
2
votes
1
answer
3k
views
Fortigate administrative overrides - how to include all subdomains?
I need a nudge in the right direction with this:
Situation:
I got Fortigate device with FortiOS4.0 with enabled FortiGuard web filter. I block a category, let's say "freeware download" (example).
Now,...
2
votes
0
answers
837
views
Fortigate and RADIUS Wifi authentication for domain and non-domain devices
We're setting up RADIUS authentication for wireless network connections through a Windows Server 2012 R2 (NPS).
We have to allow both domain computers (registered in Active directory) and non-domain ...
2
votes
0
answers
3k
views
FortiGate 310B public ip pool into internal port
I have a FortiGate 310B with WAN port with /27 public IP pool from the ISP.
The WAN port is configured with primary IP 1.1.1.1/27
I would like to provide servers within the Internal port a public IP. ...
2
votes
0
answers
849
views
Trying to change a custom VPN port back to the original on Fortigate 40C
We recently changed our firewall and bought a Fortigate 40C device. We wanted to use our old VPN settings. The Fortigate support technician told us that this model was new and he didn't know it in ...
1
vote
2
answers
5k
views
Does anyone know what the Fortigate SSL VPN error 6 on the linux client means?
I often get:
SSLVPN down unexpectedly with error:6
When trying to connect the 64bit/forticlientsslvpn_cli. My experience has been:
Once you start getting, no number of retries will get you ...
1
vote
2
answers
709
views
CentOS Hyper V Guest VM Not accessible from the Internet
I have a CentOS VM sitting on HyperV host with two interfaces, One interface connected to the domain Network via a switch (192.168.1.8 /24) GW 192.168.1.254.
Another interface is connected directly to ...
1
vote
1
answer
18k
views
View logs from Fortigate SSLVPN client for windows
I have some users that have trouble when connecting to my vpn, I want to see what the errors look like on the user side, hence I enabled the debugging in the client at "Log Level -> Debug" (where you ...
1
vote
1
answer
7k
views
Azure Site-to-Site VPN and Fortigate IPSec Phase 2 error on SA re-establishment - "peer SA proposal not match local policy"
I am documenting this for posterity. After a period of IPSEC tunnel being succesfully up and working beteen Azure VPN Gateway and Fortigate 200 E firewall running FortiOS v6.4.4 build1803 (GA), the ...
1
vote
4
answers
18k
views
Allow traffic from ssl-vpn to enter ipsec tunnel on fortigate
we configured our FortiGate 50B to route traffic from our local net 192.168.10.* (which is our office) to a remote network 172.29.112.* using an ipsec tunnel. Everything works fine as long my computer ...
1
vote
1
answer
9k
views
DHCP relay through Fortigate 60B firewall isn't working
I inherited a network with a Fortigate 60B firewall. The VPN dial up client works right now as long as I specify a static IP. Problem is, it becomes hard to manage when I need to assign each and every ...
1
vote
1
answer
528
views
2 Remote Sites, 2 Different Subnets, with interconnectivity. How to create a single subnet for servers at both locations?
Current Environment:
We currently have 2 remote sites, both with their own LAN subnet and servers hosted at each site. Currently each site is using 1 subnet for the clients and servers. Both sites are ...
1
vote
1
answer
1k
views
Process to migrate DNS and DHCP from on-premise, Windows domain controller
Our organization has an on-premise, Windows, domain controller that we'd like eliminate in favor of a local DHCP/DNS server on either our Unify switch (first choice) or FortiGate VPN appliance (second ...
1
vote
1
answer
3k
views
Avoiding split brain DNS for a Fortigate Web Proxy
How can I avoid needing a split brain DNS setup with the setup outlined below?
Background
I have what "should" be a pretty basic setup using a Fortigate 200D.
'Third leg' setup using a DMZ
...
1
vote
1
answer
7k
views
How to disable SSL-VPN on FortiOS 5.0
Hearbleed issue.
Must disable SSL-VPN.
I wasnt able to find it in the GUI.
Might there happen to be a CLI command?
1
vote
1
answer
5k
views
fortigate traffic packets not logged
Ciao,
we use Fortigate device since years and now we need to check bandwidth usage per protocol and this is is not possible. We made this test:
1) all policy Logging Options - Log all Sessions
2) ...
1
vote
0
answers
29
views
How to align a backup IP block to same Virtual IP definitions as active block?
We recently added a backup ISP for our rack. Simply put, in the event that our primary connection goes down we would like to be able to switch to our backup connection. Right now we have primary ...
1
vote
0
answers
468
views
routing ppp <-> wireguard interfaces
I want to connect via wireguard to a droplet that will be running openfortivpn for connecting to a 192.168.11.0/24 network. I have confirmed that only traffic to 192.168.11.* goes through fortivpn and ...
1
vote
0
answers
37
views
Can I use different log files for FortiGate rules?
Fortigate firewalls use different log files per type and device. Here is the log file name format:
<logtype> - <logdevice> - <date> T <time> . <id>.log
For example: ...
1
vote
0
answers
547
views
FortiGate SSL Offloading & Intrusion Protection System
We're using a FortiGate 620B (v5.2.9) for offloading SSL traffic to our website. Now we would like to activate the Intrusion Protection System (the IPS).
However in order for the IPS to work, SSL ...
1
vote
1
answer
196
views
Ip Configuration in Fortigate 60d
I have a fortigate 60d which bought around 3-4 years ago. Today i tried to install over of fiber internet. I connected my forti with 192.168.3.1 then i clicked wizard and entered new values and new ip ...
1
vote
1
answer
808
views
Possible to dump sflow data to pcap format?
I want to get the packet capture from fortiet/fortigate device, to capture all traffic from it on one of its interface. For it i have enabled sflow and sent it to another ntopng server. but on ntopng ,...
1
vote
0
answers
438
views
Using airport extreme as an AP with true bridge mode (forwarding 802.1x auth)
So here is my setup. I have a Router (Fortigate) 4 airport Extreme, and a radius/ldap server on a distant server.
I want my user to authenticate with the radius or LDAP server, and be able to create ...
1
vote
0
answers
2k
views
Fortigate 60D - Empty log and report
Environment:
Fortigate 60D
Forti OS 5.0
I can not see any log or report in the firewall. I have already activated forticloud and I recieve empty reports.
Is there something that we have to activate ...
1
vote
0
answers
1k
views
Dynamic IP Blocking on FORTIGATE 200A Firewall
I have FORTIGATE 200A firewall protecting a IIS Server running a ASP.NET website (windows server 2008 and IIS7)
I'm not familiar with Fortigate configurations and options.
I recently had "attacks" ...
1
vote
1
answer
10k
views
Fortigate PPTP push default gateway and DNS server
I've got a fortigate 40C here and copied the config mainly from a Fortigate60.
Everything is working fine, but I've got some problems with the PPTP VPN connection. I want to add SSL VPN in the future, ...
0
votes
1
answer
2k
views
Fortinet Fortigate software switch configured IP not accessible
I'm trying to get a software switch configuration working on a Fortigate 100D. It appears like devices plugged into the software switch ports can communicate between each-other, but they cannot reach ...
0
votes
1
answer
6k
views
FortiGate 80c port forward
I have a FortiGate 80c and I'm getting at a lost on how to port forward to get my OpenVPN service accessible externally.
I did setup the VirtualIP assigning tcp 1194 on the internal IP to the ...
0
votes
1
answer
395
views
Does Fortigate 100A support IPv6? [closed]
Tried searching through the net but couldn't find any info since the product is already discontinued. Can anyone confirm if this particular product supports IPv6?