The good news first: If you’re currently using the FortiClient to establish a Dialup IPsec VPN (Aggressive, PSK based), the same configuration should also work with the native macOS client.«FortiGate: IPsec VPN with native macOS client» weiterlesen
«FortiGate SSLVPN Update-Empfehlung» weiterlesen
Update, Nov 2020:
More than a year after Fortinet described this SSLVPN vulnerability, it gets new attention. A few days ago a list of IPs and domain names of vulnerable Fortigates was published. This list is dated November 2019 and one can only hope that many of these systems have already been patched.
Two days ago, this list was extended with usernames and passwords that were exploted via this vulnerability. Even if the Fortigates have been patched – as long as the passwords have not been changed, an attacker could still use them to gain access to protected networks.
SD-WAN is a cool feature to configure redundant internet access. But it was designed with load-balancing in mind and this brings some challenges to specific use cases. As an example, while you can use SD-WAN rules to define the preferred path for a specific application/system, it won’t prevent that the traffic is routed over another interface in case of an outage.«FortiGate: Deny-Policies for SD-WAN members» weiterlesen
Based on two recent support cases regarding the IPsec performance between an OnPrem and Azure FortiGate, we did some testing using the latest FortiOS 6.4.1.
We’ve created a basic IPsec tunnel using the wizard, deployed an Ubuntu machine at both sites and used iPerf3 to do some speed testing. The results were nowhere near the expected numbers, while sending from Azure to OnPrem (~250Mbit/s) was a bit faster than reverse (~120Mbit/s).«Fortigate VM Azure: IPsec performance issue» weiterlesen
1,780 total views, 5 views today
Since June 1st you may notice that some websites (https) are not working anymore when Fortigate or the Palo Alto Networks Firewall is doing decryption or certificate inspection. Typically you are getting one of the following error messages:«Websites are not working anymore» weiterlesen
4,769 total views, 2 views today
Due to several known issues, we do not yet recommend FortiOS 6.2 in productive environments.«FortiOS 6.2: Upgrade Notes» weiterlesen
Recently we have had a few support cases where a customer was unable to log in to the firewall via WebUI after the firmware update. But SSH access worked fine.
It turned out that during the update process the server certificate used for the WebUI is lost.
Config with v6.0.4 (it does not happen with «self-signed» only):
config system global«What’s new with FortiOS 6.2/6.0.8: Update issue with certificate for WebUI» weiterlesen
set admin-server-cert "self-signed"
FortiOS v6.2 has been released in March this year and we are still gaining experience with this version. In this article we would like to draw you attention to the protocol which is used for FortiGuard service communication. Up to v6.0 udp has been used, with 6.2 the default protocol has changed to https.«What’s new with FortiOS 6.2: FortiGuard Requests» weiterlesen
Last week Fortinet has released a critical PSIRT-Advisory «Improper check for certificate revocation vulnerability»
Unfortunately the article does not give exact information regarding the background or the solution and we couldn’t find further information about the issue, either. Maybe you have more information?«New PSIRT-Advisory from Fortinet» weiterlesen