Hi Alex, Really appreciate for your explanation, could you please confirm where 208.59.51.196 this was configured? was it NATTED Public IP of the FGT wan?
Good video, but it would be helpful if you described why you were making those additional changes on the CLI. Fortinet is goofy and not always straight forward, so you have to explain why you're doing things, otherwise you're just another demo video.
Had conversation with Fortinet. They said that 2.4Ghz is recommended for backhaul as it travels better the 5Ghz. Specially through objects and structure. They found that majority of APs in a Mesh configuration are in different rooms/areas and rare that they are in same open space. As users are connecting in same space to 1 of the APs then don't have to worry about going through walls as an example has worked out better. After change we notice better performance for sure on non cabled APs using mesh. Again it would depend on situation... A house with drywall instead of concreate filled block walls in office spaces probably better to go opposite or something like large venue halls, gyms definitely want to go backplane on 5Ghz.
Nice.. but at 33:33, you said bridge mode does not use capwap? Isn't the fortiap itself managed by capwap to begin with? This is the security fabric connection checkbox that must be enabled on the fortigate interface that the ap connects to in order to be authorized. Formerly known as capwap in older fgt os.
I've set up 2 FortiAPs via FortiCloud. However, after a few days, clients connected to the second AP are unable to access the internet. Both APs are connected to the same network. Can you please provide any suggestions to resolve this issue?
Did you pre-configure the 'ZTNA Destinations' in FortiClient before configuring the 'ZTNA Destination' in FC-EMS? That's a step you don't show, and my destinations from EMS aren't synchronized to FortiClient. Thanks, E
Thanks for the video Alex...I have few doubts, the connection from the forticlient to fortigate to access ZTNA server is through the SSL VPN only right, you told that the packet will be wrapped in Https and send to fortigate, getting confused 😕....One more doubt is that the ZTNA rules will be applied after decrypting the SSL packet right, in this case the normal firewall policy will not be applied after decryption????
Does it work for other use cases beside RDP for example certain system based user account is used for powershell or other protocol access to corp server?
Lets say, currently, there is one big trust envoirnment that has all items user needs and users use forticlient to connect back using ipsec vpn. and channel all traffic back in including internet, which then gets inspected via security profiles using only one primary fortigate corporate firewall. Isnt this doing the exact same thing?
Nicely done! I am a network engineer at an enterprise company, and we have Meraki at all the plant locations but have FortiGate in the cloud. I personally dislike Meraki for multiple reasons. Hoping to move to Fortinet in the future. Meraki is great for an SMB, but not enterprise.
Yes, on prem EMS needs to have ports open on the upstream firewall to allow remote devices to communicate with it. A list of the necessary ports can be found here: docs.fortinet.com/document/forticlient/7.2.2/ems-quickstart-guide/439480/required-services-and-ports
@@fortialex Thanks. Do I need to put that EMS server into DMZ or VIP with static NAT will be fine and put that VIP on Forticlient so it can communicate with EMS server from outside world?
Thanks for the video, it did help, but I had to contact Fortigate because the tunnel would not come up. It turned out that the Fortigate was advertising the FQDN and not the public IP. We had to enter the command "set localid-type address" and then both ends came up.
I was wondering - we have a Meraki Mesh ( Auto hub ) of 6 units in various states. Got the Fortigate to establish a tunnel from one of the Merakis in the mesh, but how would you go about creating the rest of the tunnels on the fortigate side, any tricks because we have tried duplicating what is working for the first, and no dice every time.