This article covers the procedures for deleting the local-in policies currently displayed on the FortiGate GUI. Scope Local in policies regulate the traffic and services that are dedicated to FortiGate interfaces, in contrast to standard firewall policies. To have precise control over the services, source, and destination addresses, administrators can design a custom local-in policy …
This article describes how to deny uploading images, documents, or videos in WhatsApp web conversation by using the application control signature. In order to control web WhatsApp upload traffic that would require enabling SSL deep inspection + application control profile in the firewall policy. Step 1: Go to Security Profiles > Application Control. Step 2: …
This article describes the reason why an IPv6 gateway may not be reachable and a workaround using RFC6164. Solution A simple analogy for an IPv6 subnet-router anycast address is that it looks like a ‘network address’ for IPv4 as it is the first address in a subnet. For example, if the prefix for the subnet …
This article describes how to broadcast SSID’s in a vdom other than where the FortiAP is managed from. Scope FortiGate with multi-vdom mode enabled. Solution When multi-vdom mode is enabled in FortiGate, a FortiAP will be managed by one vdom; however, it can be used to broadcast SSID’s created in a different vdom. By default, …
This article describes how a FortiSwitch that does not support FIPS can be managed by a FortiGate in FIPS mode. Scope FortiGate in FIPS mode and FortiSwitch in non-FIPS mode. Solution FortiGate in FIPS-CC mode impose restrictions in different settings, especially related to supported algorithms for secure communication channels. Not all FortiSwitch models support FIPS …
This article describes how to hide the Username and Password fields, as well as the Login button prompts, on the SSL-VPN Web Mode login page without impacting SSL-VPN functionality. This might be done by an administrator if: Web Mode SSL-VPN users should only have the option of logging in via SAML authentication, but: Tunnel Mode …
This article tries to give more insight into digital certificates, their use, and validation. Scope This applies to multiple products. Digital certificates are typically used to build up TLS tunnels in various products, FortiClientEMS, FortiAnalzyer, FortiGate, FortiNAC, FortiAuthenticator, FortiWeb, and many more. All of them use certificates already with the web server so where the …
This article explains describes how to download the Forticlient VPN manually from the Fortinet website.
This article provides an example of configuring SSL VPN user to restrict either to tunnel mode or web-mode in SSL VPN using Radius authentication.
This article describes how to check if a certificate and key belong to a CSR. In this example, the CSR is created on the FortiGate, and it is signed manually by a 3rd party.
This article describes how to add/update the Operating Systems list in Endpoint compliance configurations. In some scenarios, the Operating System list in FortiNAC is not updated automatically or in some situations, Windows 11 and/or Windows 2019 Operating systems are not showing in the list.
Problem Symptom Recently I need to add a new AD group to the firewall FSSO setup to be used in a policy. The new AD group is not showing.
This article describes why FortiAuthenticator Agent for Microsoft Windows does not display any domain. Under Two Factor Authentication > Configure, no domain is seen. Even Windows 10 client machine is added in domain, FortiAuthenticator Agent for Windows does not display any. The reason is that FortiAuthenticator Windows Agent is installed using a local account, instead …
This article describes how to refresh/clear the wad user/group cache on FortiProxy version 7.0.x. As wad maintains its own cache for user & group information. In firmware version 7.0.x, the old command to refresh/clear wad user/group cache doesn’t exist. Step 1: Clear the existing user cache using the below CLI commands: # diagnose wad user …
This article describes how to block Aadhaar and PAN number using regular expressions. Aadhaar is a 12 digit number with first digit not either 0 or 1. It contains white space after every 4 digits and contains no alphabets. Below regular expression can be used to identify Aadhaar: ^[2-9]{1}[0-9]{3}\\s[0-9]{4}\\s[0-9]{4}$ <—– (^ Start of string, $ …
