r/fortinet

Monitoring FortiLink-managed FortiSwitches

How are people monitoring FortiSwitches managed by FortiLink when using tools like SolarWinds, PRTG, OpManager etc.?

Are you routing/advertising the FortiLink subnet so the NMS can poll the switches directly, or are you just monitoring via the FortiGate logs/API/FortiAnalyzer?

Mainly looking for what works best in the real world, especially for larger environments and any gotchas you’ve hit.

TIA

reddit.com
u/No_Significance_5068 — 2 hours ago

The main problem with the 7.6.7 update

https://community.fortinet.com/fortigate-3/troubleshooting-tip-the-firewall-policy-gui-page-gets-stuck-in-loading-state-on-fortios-v7-6-7-228532

The major issue in FortiOS v7.6.7 is that the Firewall Policy GUI page gets stuck in an infinite loading state when switching to the 'Interface Pair View'. While there are no other operational issues found so far, this bug causes significant inconvenience in daily operations.

Aside from this specific bug, there appear to be no critical issues affecting operations so far

u/Logical-Picture-4756 — 8 hours ago

Upgrade or restart your 1xx series FortiSwitches to avoid the NTPd high CPU 250 day uptime bug (Resolved in 7.6.7)

Guess what we did "almost" 250 days ago? Upgraded and restarted our FortiSwitches.

Guess what ruined my weekend?

Bug 1286219:

>The Network Time Protocol (NTP) daemon causes high CPU usage in switches with almost 250 days of uptime. This issue affects the following switch models: FS-108E, FS-108E-POE, FS-108E-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, FS-148E-POE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, FS-148F-FPOE, FS-110G-FPOE, FS-124G, and FS-124G-FPOE.

>Workaround: Restart the switch.

This caused a large number of switches to become unresponsive and had to be restarted through direct SSH and a handful had to be manually power cycled. Most had an uptime of 248 days.

The high CPU usage isn't being logged and some of the switches that went offline weren't experiencing the bug, it was the upstream switch that it couldn't establish a trunk with. Often but not always, the switch experiencing the bug would still function, you could ping it but the CPU would be pegged. Most would allow a remote restart but some went offline completely or failed to restart after running exe reboot.

TAC confirmed that rebooting was the only resolution.

I'm not certain on the other version but is fixed in 7.6.7.

reddit.com
u/SmoothStrawberry7777 — 22 hours ago

Bulk rename APs in FMG

Hi all

We have just deployed a site with 100+ FortiAPs. Does anyone have any pro tips on renaming the APs in bulk?

Thanks 🙏

reddit.com
u/WabbitTamer — 1 day ago

EMS migration

Hi everyone,
I’m planning to migrate an existing FortiClient EMS 7.0.2 deployment to a fresh EMS 7.4 installation and would appreciate advice from anyone who’s been through this process.
My current understanding is that restoring the old EMS database isn’t an option in my case, so I’m planning to build a new EMS and migrate everything over.
My current plan is:

Deploy a new EMS 7.4 server.
Install a fresh EMS instance.
Manually migrate the configuration by:
-Exporting/importing Endpoint Profiles (where possible).
-Recreating Endpoint Policies.
-Recreating On-fabric Detection Rules.
-Reconfiguring system settings (SMTP, certificates, LDAP/ AD integration, assignment rules, tags, etc.).
Transfer the EMS license by requesting a Hardware ID change through Fortinet Customer Service.
Migrate endpoints using Switch EMS.
Verify all endpoints are communicating with the new EMS.
Decommission the old EMS once the migration is complete.

My questions are:
Is this the recommended approach, or is there a better way?
Since restoring the old database isn’t possible, is there any supported way to migrate the configuration besides manually recreating it? For example, are there tools, scripts, APIs, or export/import methods that can help preserve policies and other settings?
Which parts of the configuration can actually be exported/imported, and which ones always have to be recreated?
Are there any common pitfalls or lessons learned during this migration?
Any tips for making the endpoint migration with Switch EMS as smooth as possible?
Finally, if you were deploying a new EMS today, would you choose Windows or Linux, and why? I’m open to either if one provides a better long-term solution.
I’d really appreciate any recommendations, best practices, or real-world experiences. Thanks!

reddit.com
u/mebspace — 2 days ago

FortiClient 8.0.0 is out - still no VPN-only

Contrary to what some FTNT folks told us many months ago, it seems like the VPN-Only client is really gone ... 8.0.0 came out yesterday, and no VPN-only archive available (haven't tried installing it yet, though)

What viable alternatives are there for Windows & Mac instead? I have configs for Linux & StrongSWAN to connect with IPSEC, though of course MFA is not included there ...

reddit.com
u/Garry_G — 3 days ago

FortiNAC & MacOS

Hi everyone,
I’m looking at implementing 802.1X authentication for macOS devices with FortiNAC.
I know macOS supports 802.1X natively, but I’d like to hear from anyone who has deployed it successfully in production.
Are you using EAP-TLS (certificates) or another authentication method?
How are you managing certificates (Jamf, Intune, another MDM)?
Does FortiNAC work well with macOS over 802.1X, or are there any known issues or limitations?
Are there any special configuration steps or best practices for Macs?
If you’ve implemented this, is there anything you wish you had known before deploying it?

reddit.com
u/mebspace — 2 days ago

Is ZTNA part of the NSE4?

SSL VPN and ZTNA are not included in the official study guide fortios7.6 Administrator

reddit.com
u/ngt_x — 3 days ago

FortiClient 8

My organization has been using FortiClient free version for the past 5-6 years. I have been following the semi-official deprecation of the free version for the past few months. We have been using 7.4.3 now for a few weeks.

Now FortiClient 8 has been released and I see no free version (what I assumed would be the case).

Quantum Cryptography is becoming front and center in planning for our future with Google and Microsoft saying they should be fully or mostly using PQC by end of 2029. Naturally, FC 8 has PQC support.

I wonder what everyone else who is or recently was using the FC free version is planning to do.

I know we could get a license for on-prem EMS (but that would be another server to setup and maintain for our small team and there were just two high profile vulnerabilities in it just a couple months ago), or get Fortinet Hosted EMS (but not sure of the price with that), or drop FC altogether and go with a different VPN solution or SASE option etc.

We have two dialup IPsec tunnels right now, one for employees using organization machines and one for contractors that has a more limited scope of what can be accessed.

Trying to get ideas to present to management with expected costs and pros/cons. What is everyone else planning to do or what did you do at your organization?

reddit.com
u/iRyan23 — 3 days ago

FortiNAC / AD integrated groups not assigning VLANs automatically

Hi,

I am experiencing an issue with FortiNAC version 7.4 integrated with Active Directory (AD).

Although I successfully imported the AD groups into FortiNAC, the system fails to assign VLANs based on these AD group memberships.

As a temporary workaround, we created local groups in FortiNAC under System > Groups and manually assigned users to their respective groups. However, this is not an optimal or scalable solution. We need users to be dynamically and automatically mapped to their VLANs based on the integrated Active Directory groups.

Could you please help us resolve this automatic mapping issue?

reddit.com
u/Upset-Gur-7879 — 3 days ago

Prevent VLAN Jump by unplugging FortiAPs port

What are some of the ways to prevent users from unplugging FortiAPs and plug in their own computer to jump VLANs? Could you provide instruction on how to do this? Thank you!

reddit.com
u/renovatio522 — 4 days ago

FortiManager 7.6 administrator Lab

I am currently studying for FortiManager 7.6 administrator exam and I have had issues with labbing in GNS3 as I am having the issue with my 7.6.6 FortiGate VM and FortiManager VM where the SN of the FortiGate is not in the certificate so I cannot import the device into my FortiManager VM.

The only old version of FortiGate/FortiManager VM I have is v6 which I believe will not experience the issue with certificate. Would it be worth labbing with these older versions or will it be too different compared to 7.6? How much of an overlap is there?

Happy for any other recommendations on how to lab as I have completed NSE4 fine labbing with my 7.6.6 FortiGate VM!!!! Thanks

reddit.com
u/Dense_Grape9844 — 3 days ago

New perimeter FW

Hello everyone

we have a new project of adding a new perimeter firewall to the existing fortigate (which works as DC & perim) firewall

We have VPN LLs and internet connections aggregated at fortiswitch and fortigate connects to fortiswitch

Fortigate has 2 vdoms, main one is the root vdom which has VPN LLs, sdwan and site to site VPNs

The other vdom is for wifi which is still the same.

when transitioning from fortigate to perim firewall, removing the wan interface from fortigate to fortiswitch and replacing it with new cable to perim firewall ( act as lan from DC to perim) , is this a good see design ? As fortigate still has all sdwan policies on it for all vlans.

Add new cable from perim firewall to fortiswitch, which became the wan link for it, new mgmt cable to core switch

Is this a good design at all ?

My concern is the existing site to site VPNs on fortigate which use an internet interface/IP, can I replace the interface on VPN connection to the new lan port (fortigate to perim fw) and modify the local id so it can still see the original IP ?

u/kadicoo — 4 days ago

NSE 4

Hi,

I'm currently preparing for the NSE 4 certification. I wanted to ask if studying only the FortiOS 7.6 Administrator Study Guide is enough to pass the exam.

Is that guide the only resource I need, or are there other topics, documents, or hands-on labs that I should study as well?

In other words, if I fully understand the FortiOS 7.6 Administrator Study Guide, would that be sufficient to pass the NSE 4 exam?

Thanks in advance!

reddit.com
u/ngt_x — 3 days ago

Using LLMs against Fortigate configurations (claude.ai, gemini, Le Chat, DeepSeek, others)

Anybody started dabbling with LLMs (your flavour) and Fortigate configs?

I was wondering if they could be useful in the following contexts:

- running a check against a baseline configuration (settings sync between multiple FGTs)

- looking for and report sub-optimal or unsafe settings as per current best practices

- looking for signs of past compromises (excess local admins, other undesired modifications as per published past PSIRT / CVE indicators)

Are we near a useful level of maturity LLM-side, or still too many hallucinations and lack of consistency?

[EDIT: lots of interesting suggestions incoming... looks like an hot topic!]

reddit.com
u/CapiCapiBara — 5 days ago

IPsec Remote Access Can't Ping

I've got a user whose IPsec Remote Access VPN won't ping out when connected. It can access a file server via IP address (despite failing to ping it), but it's not able to get DNS, nor can I ping the DNS server or anything external.

The FortiGate is a 90G on 7.4.12, using the latest FortiClient VPN Only version (7.4.3.8758). There are a dozen or so other users currently using the same VPN connection, and I've confirmed that the policies haven't changed.

As soon as we disconnect VPN, normal web traffic resumes, including the ability to ping.

Any ideas?

reddit.com
u/popegonzo — 4 days ago

Multiple captive portal designs on FortiGate

Working on a group of restaurants where a single Fortigate will be shared between 2 or 3 outlets. Each outlet has its own branding, so we need to set up an SSID/VLAN for each outlet and a captive portal for Guest Wi-Fi. It will be a simple portal with a single shared guest access code.

In other words:
- Bob's Fish & Chips Guest Wi-Fi -> VLAN 20 -> blue and yellow coloured captive portal

- Jerry's Caviar House Guest Wi-Fi -> VLAN 30 -> gold and silver coloured captive portal.

Ideally they would also use separate login codes for each, so Bob's login code would be "vinegar" and Jerry's login code would be "crackers".

Is there a way to create multiple captive portals each one with a different design on the same FG?

UPDATE: Claude figured it out...

config system global
set gui-replacement-message-groups enable
end

reddit.com
u/leftplayer — 4 days ago

NSE4 certification

Hi, I'm still fresh in Fortinet firewall. My company required me to take NSE4 certification.

My question is what will be different after 14 July, because from my understanding we have to:

  1. take nse4 and pass it

  2. choose 1 nse 5 tracks and pass it

so what will be different and is my prep enough?

-do dummy question

-finish 13 hour course on Fortinet training

the lab is too expensive for me right now.

reddit.com
u/tiny_txt88 — 4 days ago

I failed my NSE4 exam yesterday.

And I know why I failed. The CNF/Cloud part in general brought my score to the floor. The surprising part is my co-workers, manager included, are utterly surprised that I dont / have not used dumps for my exams ever (CCNA, az-900). They are all almost iterating the same phrase: “You just study and then use a dump to verify the knowledge. Thats how we all do it.”

I told my manager that if i fail the exam, it is because of a fault in my studying and thats what I should be working on, not figuring out ways to cheat, and honestly he was lost for words. To be honest its kinda sad to learn that this is the way 90% of people get around certificates these days.

u/4rty7 — 5 days ago