„FortiGate SSLVPN Update-Empfehlung“ weiterlesen
Update, Nov 2020:
More than a year after Fortinet described this SSLVPN vulnerability, it gets new attention. A few days ago a list of IPs and domain names of vulnerable Fortigates was published. This list is dated November 2019 and one can only hope that many of these systems have already been patched.
Two days ago, this list was extended with usernames and passwords that were exploted via this vulnerability. Even if the Fortigates have been patched – as long as the passwords have not been changed, an attacker could still use them to gain access to protected networks.
SD-WAN is a cool feature to configure redundant internet access. But it was designed with load-balancing in mind and this brings some challenges to specific use cases. As an example, while you can use SD-WAN rules to define the preferred path for a specific application/system, it won’t prevent that the traffic is routed over another interface in case of an outage.„FortiGate: Deny-Policies for SD-WAN members“ weiterlesen
Spoiler Alert! – Since the release of macOS 11.0 aka Big Sur, your FortiClient VPN might not be working as expected anymore if you have already upgraded.
There’s a chance you might not have noticed it, in the case that you’re using SSL VPN only in your environment. But as soon as you also have IPsec tunnels you’d like to use, you might find yourself with a successfully established tunnel, but no traffic is reaching your remote end.„FortiClient and macOS Big Sur – SSL top, IPsec flop“ weiterlesen
The System Engineers of BOLL Engineering have been supporting Fortigate devices for 18 years. This year, FortiOS v6.4 was released and we have again gathered all the troubleshooting commands that we use regularly in our new CheatSheet.
Hopefully this CheatSheet will help you as well.
You will find the most important commands on the first page. The second page contains troubleshooting commands for problems with firewall policies and security profiles, followed by the third page with commands for network problems. The last page covers system and hardware commands and general information.
427 total views, 2 views today
From time to time customers noticed that the Fortigate cannot reach the Fortiguard Servers anymore.
This is displayed in the Dashboard or users are complaining that the Webfilter or DNS Filter Service is not working anymore.„FortiGuard Servers are not reachable“ weiterlesen
392 total views
Based on two recent support cases regarding the IPsec performance between an OnPrem and Azure FortiGate, we did some testing using the latest FortiOS 6.4.1.
We’ve created a basic IPsec tunnel using the wizard, deployed an Ubuntu machine at both sites and used iPerf3 to do some speed testing. The results were nowhere near the expected numbers, while sending from Azure to OnPrem (~250Mbit/s) was a bit faster than reverse (~120Mbit/s).„Fortigate VM Azure: IPsec performance issue“ weiterlesen
1,150 total views
Since a while, the most recent macOS versions the system do report the use of „legacy system extensions“ which is often triggered by modules or plugins of low-level software like VPN Clients, AV software etc.„FortiClient/PaloAlto Support for Catalina – „legacy system extensions“ error“ weiterlesen
Did you know, that on the FortiAP FAP-C24JE, the VLAN ID’s 898 and 899 are reserved for system use?
Or that the FortiAP models FAP-S221E, FAP-S223E, FAP-221E, FAP-222E, FAP-223E and FAP-224E can not work with VLAN ID 97 and 98? I’m sure you already guessed it: These ID’s are reserved for system use.„FortiAP and VLAN ID 97 or 98“ weiterlesen
There seems to be a vulnerarbility in some FortiMail versions, that allow an unauthenticated remote attacker to access the system by requesting a password change. Please refer to the FortiGuard PSIRT article.
The problem here is not only the unauthorized access to the system, but also the change of the password of all configured administrative accounts. Also, the maintainer functionality to reset the administrator password over a serial console of the FortiMail is being disabled from the attacker.„Upgrade your FortiMail now!“ weiterlesen
909 total views
Since June 1st you may notice that some websites (https) are not working anymore when Fortigate or the Palo Alto Networks Firewall is doing decryption or certificate inspection. Typically you are getting one of the following error messages:„Websites are not working anymore“ weiterlesen
2,566 total views