When importing policy and objects from a FortiGate currently selected revision history config file, before actually importing the policies and objects, a summary of the objects that will be updated, imported, renamed, and skipped (duplicates) will be listed and shown. This article will define the different actions that will be taken on the objects listed …
FortiGate
This article describes how to set the admin password to empty. Step1: Set admin password by default: # config system admin edit “admin” set accprofile “super_admin” set vdom “root” set password ENC SH2CBKZWErh1aIVtjkiFqgUE7jz89aIEAIEq**bleep**DDoswa8dsBN03ce/J2RQ6BA= next end Step 2: Use the bellow CLI to set the admin password to empty: FG1500D_14 # config system admin FG1500D_14 (admin) …
This article discusses notification message ‘Open: Invalid Router ID’ in BGP debugs. Background FortiGate F7 and F6 are configured with BGP to learn dynamic routing. 172.16.20.0 F7 — ISP——f6–172.16.30.0 After the BGP configuration, the below notification message in the FortiGate can appear when BGP peers are exchanging messages. f6 # BGP: 7.7.7.7-Outgoing [DECODE] Open: Invalid …
This article illustrates the issue where the connection status to AD is successful, but the AD connector status is down. The connector settings are configured as below: It is possible to run debug to check for the error message: # diag deb authd fsso -1 # diag deb en An error message appears for ‘wrong …
MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication. Solution: Enable MAB on FortiGate Apply below command to enable MAB on FortiGate: # config sys interface edit “<>” set vdom “root” set ip 192.168.1.1 255.255.255.0 set allowaccess ping radius-acct set security-mode captive-portal set security-mac-auth-bypass …
This article describes how to fix the issue where after connecting to SSLVPN via FortiClient, users may experience connection issues for up to 10 minutes on Dell laptops with Windows 10/11. This affects both setups with split-tunneling enabled, where FortiClient pushes the split subnets to the Windows routing table and setup where all user traffic …
This article describes the issue where FSSO events are not collected by FortiGate after the upgrade of FortiAuthenticator to 6.4.5. Solution: Disable Enable encryption feature FortiAuthenticator now offers a server-side TLS support option so that FortiGate as an FSSO client can be configured to connect to FortiAuthenticator over a TLS connection, and this is enabled …
This article describes the process of initial ftm-push troubleshooting. Solution The following are troubleshooting tips that need to be performed post configuring FortiToken mobile push notification, but unable to log in after tapping ‘Approve’ on the FortiToken Mobile Apps. Step 1: Check if FTM is enabled in the Administrative Access of the wan interface under …
This article describes how to use FortiGate’s IoT Detection Service to identify the Hikvision IP Camera device and app that is vulnerable to the recent command injection vulnerability. The vulnerable device and app can be identified from the Security Fabric > Asset Identity Center when the FortiGate interface connected to the IoT device has device …
This article describes how to troubleshoot FortiGate admin access configuration with Google SAML authentication. Solution FortiGate will be acting as Service Provider (SP) and GOOGLE will be acting as Identity Provider (IdP). SP: Who is providing the Service. IdP: Who is doing Authentication. FortiGate admin access SSO is part of the security fabric where the …
This article describes the configuration to verify if the administrator could not run debug commands in FortiGate CLI. In some environments, administrators can be restricted to perform debug/diagnostic but still allowed to perform configuration. Solution If the ‘Unknown action 0’ error appears when running the debug command as below: # diagnose debug application sslvpn -1 …
This article describes the method to generate log test from FortiGate. The log test is useful to verify the logging status. Customizing log test detail could allow the user to generate the description for log identification. Solution CLI command: # diagnose log test-text <log-id> <level> <text-log> [<repeat>] Sample: # diagnose log test-text “0100020014” “critical” “” …
This article describes how to configure local certificate expiry Automation trigger with an email notification action. The main use case is to be notified by email if any local certificate is expiring, so the certificate can be changed before expiration. Solution One might want to remind an administrator to re-sign or load a new local …
This article describes some common local Radius failures in FortiNAC, the accompanying debug logs, and few examples. Enable debug and view logs via UI (versions 9.2 and greater) The following steps describe how to perform basic debugging via FortiNAC GUI for Local Radius Server, in order to verify if the processes are working as expected …
This article describes how we to match the SSL-VPN user to all the group once it is authenticated on SSL-VPN. Solution Step 1: ‘sslvpntest1’ has been used as a sample SSL-VPN user. Step 2: The ‘sslvpntest1’ is a member of ‘sslvpngrp1’, ‘sslvpngrp2’, ‘sslvpngrp3’, ‘sslvpngrp4’ and ‘sslvpngrp5’. Step 3: Make sure that to have configured IPV4 …
