Posts Tagged ‘Fortinet’

You have a device connected to a Router ( Fortigate for this case ) with two IP’s on different Subnets

Solutions

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Add new WAN interface, enable for Ping and HTTPS
  2. Add a new Static Route with the gateway of ISP with interface of above
  3. Make sure the distance is the same as the existing WAN interface( without the same distance it won’t appear in the routing table )
  4. Try and ping ISP Gateway from CLI
  5. Test Inbound access to https (on right port ) 
  6. Add Policies for new Interface Inbound and Outbound
  7. Make sure the priority is lower than the existing WAN connection for testing, when ready to match existing priority
GD Star Rating
loading...
GD Star Rating
loading...

Recently I got hold of a Fortinet Lab FG-100D. The Fan in this unit is around 50db and not suitable for a lounge. The device is not licensed and out of support so I could ‘tweak’ it!

The quietest 4-Pin ( sending feedback back to to the Fortinet of fan speed so it can adjust ) 40mmx 20mm fan I could find was a NF-A4x20 with 15db of noise , however much-reduced airflow!

The NF-A4x20 comes with a different fan plug then the Fortinet Socket. The connect should match the other size , however a little pressure helps the fortinet socket accept this! 

The good thing about this fan is it also comes with a LNA ( Low noise adapter ) a cable that drops down the (voltage) speed of the fan. The 100D also has two power fan points. I was able to put the LNA on the original fan, then readjust the fans like below. I ran both for a week however sometimes the old fan would whir up, so I ended up disconnecting the original and left the NF-A4x20 and it has been stable!

 

 

GD Star Rating
loading...
GD Star Rating
loading...

Recently a few users had the following bounce backs from Office 365 to an On-Prem Mailserver with the error

‘550 5.4.316 Message expired, connection refused(Socket error code 10061)

Checking the logs in 365 of this, this was due to the Fortigate adding some 365 SMTP servers to the IPS Quantarine List

Removing these servers from the Quarantine and also removing IPS checking in the Policy of 365 servers to on-prem via SMTP resolved this

GD Star Rating
loading...
GD Star Rating
loading...
Recommended Firmware Lastest of : 5.6.X Range ( Last Edited 12/06/2019 )
 
Add Interface Bandwidth of Wan port to Dashboard
 
Enable device detection on LAN interfaces
 
Proxy based always
 
DOss Policies
 
System->Settings -> Enable SNMP for Monitoring
 
Activate License and Forticloud

 

 

 
 
 
 
 
Feature List
 

 

GD Star Rating
loading...
GD Star Rating
loading...
  1. Add VPN profile to both sides with same PreShared Key

2020-01-07_23-39-50.png

 

 

2) Add Static Routes on both sides to each other’s Subnets via the VPN Connection Interface created in Step 1

3) Add Policies

WAN->VPN Connection Interface created in Step 1 ( without NAT ) 

VPN Connection Interface created in Step 1 -> All  ( without NAT ) 

 

 

 

***********

DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21. RFC 5114 Sec 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

GD Star Rating
loading...
GD Star Rating
loading...