Welcome to FortiBytes, your ultimate destination for bite-sized video content focused exclusively on Fortinet products. Led by a highly certified engineer with over 14 years of hands-on experience, we are committed to providing you with invaluable insights, comprehensive video guides, engaging discussions, and exclusive walk-around events. At FortiBytes, we understand the complexities of Fortinet's product lineup, and our mission is to simplify it for you. Our highly skilled engineer will break down the most intricate concepts into easy-to-understand snippets, ensuring that you grasp the full potential of Fortinet's cutting-edge technology. Whether you're a seasoned professional seeking advanced techniques or a beginner looking for introductory guidance, FortiBytes is here to cater to your needs. Our weekly uploads cover a wide range of topics, including configuration tutorials, troubleshooting strategies, best practices, and in-depth discussions on the latest Fortinet updates.
Hi Sir, I have some questions confusing me. The CTAP config file was withou any policy, routing etc. If I restore the CTAP file to my FG, will cause all my configuration gone right? Hope can get you reply. Thanks a lot.
Hi, yes if you restore the ctap configuration file then it will remove any existing policy’s, routes ect and replace them with what is required to conduct the ctap!
Sir, I need to forward multicast IP packets coming from a MPLS router through the Fortinet Fortigate 60F firewall. I have configured the firewall as follows : 1) Under network--->interfaces---> two ports have been configured, one as "INPUT" (to receive data from the router) and other as "OUTPUT" (to send data). The "INPUT" port IP address is in the same IP group as the router port to which it is connected. The "OUTPUT" port IP address is of a different group. 2) Under policy & objects--->addresses--->total five (05) multicast IPs have been defined. Interfaces have been set to 'all/any'. 3) Under policy & objects--->multicast policy--->Input interface is set to "INPUT", output interface to "OUTPUT", source address to "ALL/ANY", destination address to the five (05) multicast addresses that have been already defined. Protocol is set to UDP with port range from 1 - 65535. Strangely, I am getting only one multicast IP on the "OUTPUT" port. I mean, the firewall is forwarding only one multicast group from INPUT to OUTPUT port. It will be very helpful for me if you can provide any solution for this.
Hey, sorry for the slow reply I have been away checkout this guide - docs.fortinet.com/document/fortigate/7.6.0/administration-guide/968606/configuring-multicast-forwarding
Sir, I need to forward multicast IP packets coming from a MPLS router through the Fortinet Fortigate 60F firewall. I have configured the firewall as follows : 1) Under network--->interfaces---> two ports have been configured, one as "INPUT" (to receive data from the router) and other as "OUTPUT" (to send data). The "INPUT" port IP address is in the same IP group as the router port to which it is connected. The "OUTPUT" port IP address is of a different group. 2) Under policy & objects--->addresses--->total five (05) multicast IPs have been defined. Interfaces have been set to 'all/any'. 3) Under policy & objects--->multicast policy--->Input interface is set to "INPUT", output interface to "OUTPUT", source address to "ALL/ANY", destination address to the five (05) multicast addresses that have been already defined. Protocol is set to UDP with port range from 1 - 65535. Strangely, I am getting only one multicast IP on the "OUTPUT" port. I mean, the firewall is forwarding only one multicast group from INPUT to OUTPUT port. It will be very helpful for me if you can provide any solution for this.
@@FortiBytes i think it does have to be the "local" DNS in order to resolve the local hostnames... in my case we have FAC in internet and not the local network... FAC is configured with a public DNS and it is failing ...
Thanks for the video, question here, after adding the info of the new devices in the csv, we have to authorize it manually in the FMG? I want to import a device via IPSEC while devices are in remote locations. It means I have to get a ipsec-mgmt tunnel up before pushing the config via csv? If you could make a video around it, would be great to see. I guess in most cases this use case is very usually implemented. Thank you for the series, great efforts. New subscriber 😊
Hey, if you add the device via a csv file then it should be inside the database and pre approved. Approval is done based on serial number so you should be ok actually! If you get it working let me know I’m not 100% sure so would be interested to know.
Hey buddy! May I ask, using SSO with deep packet inspection configured, can I still exclude certain category of websites like finance without any problem?
Make sure you look into some of the other videos on the channel, specially deep packet inspection as most of the traffic going through your device is encrypted so you need some additional steps to be able see into that traffic.
Hello, I would like to ask three questions 1. Is there an architecture diagram of this video, including all IP addresses? 2. Is there any pre-configuration that needs to be completed at the beginning of this video, such as IPSEC VPN SDWAN, and then set up after the VPN is established? 3. Regarding FAZ IP, I don’t know much about it here. Are the FAZ IPs of HUB and SPOKE the same? If so, do all the points need to be connected to the same FAZ in the front end?
Hi thanks for reaching out answers below 1. I’m afraid there isn’t an architecture diagram, I’ll look at doing this for future videos. 2. This is part of a video series please watch the videos prior to this one. 3. All FortiGate devices should point to the same FAZ unit. This will then be distributed via the security fabric.
@@FortiBytes So I dont seem to be getting any log/alert of "Routing information changed" when my sdwan route gets turned off.. Do I need to enable detailed logging somewhere?
Thank you for the video. I do have a question: Why in the case of internal traffic leaving to internet we need to apply even the IPS Signatures and Filters ? Is it just enough to enable Block Malicious URLs and Outgoing Connections to Botnet Sites ? so you can save memory and cpu ?
Hey, great question and its something that comes up quite frequency. IF you have the resources to do so then its best practice to apply IPS to outbound policys also. Sometimes malware gets inside your envrioment meaning that the traffic orginates from the inside lets use a TCP based reverse shell for example communicating back to a know C&K server.
Forgive me, I am pretty new to Fortinet equipment and still learning. What benefit would there be to use this if I were to use FortiManager in an enterprise? Would this work the same as a ADOM in FortiManager which shares a policy and object database with devices in the same ADOM? Great video and fantastic explanation! Thank you!
Hi Will, good question! Let’s say that your company was called companyx but you had no requirement to manage or segment the deployment then your basically just using a single adom. Where the magic happens if your a larger company or a mssp and you need to manage several companies let’s say companyx, companyy and companyx then you could create separate adoms from them all. Everything inside a adom is segmented however you still have the ability to deploy global policy’s that can be shared across adoms (very common with Fortinet mssps)
Commendable attitude on sharing your knowledge my brother, but i got a question that is bothering me and acctually made me stuck with the firewall study. I got an Fortigate 7.4 running in VMWare, and there is a LAN segment where i put the VMs i'm using as a lab, and even with he Fortinet_CA_SSL.cer installed on both OS and browser, i still got the same error, and it does not allow me to "Accept the risk and continue". I've litterally have done only this, created a permissive policy and added the SSL inspection, as soon as i turn off the inspection, it turns back to work propperly. THE ERROR "Firefox detected a potential security threat and did not continue to www.google.com because this website requires a secure connection." Thank you for your content, hope you see my comment, peace for you my man.
Hey really sorry I never got notified that you had commented. I’d suggest playing around with what folder the certificate is installed in look for Trusted Root Certification Authorities
Good video! In my case when i enable the proxy arp, there's no need to configure a policy because allows all traffic automaticaly. I don't want to allow all the traffic, but when i create the policy it still allows all, any suggestions?
Hopefully we get to enjoy Web Filtering for a while longer before Encrypted SNI grows in adoption and will start to require Deep Packet Inspection to work
we're starting to look into FortiFlex too at our MSSP. We're hinging on starting off using it as a flexible pool of points to spin up lab environments in a private cloud environment and "PAYG".
In my experience, customers rarely care about intra-VLAN communication. They should be caring though. Enabling this FortiGate/FortiSwitch-feature brings the neccesary extra visibility and enforcement controls like you showed us. Good video Chris!
When I initially encountered FortiDeceptor as a new product, I was quick to label it a honeypot. Since it came out, it has definitely proven itself way more capable than just a honeypot.
having this kind of device posture / compliance checking for network-level access to a network resource is killer and I bet we'll see a steep rise in the adoption of technologies like these moving forward
wondering if Fortinet is using their own "Endpoint Vulnerability" signatures for this scanning or a third party engine, and if Fortinet will ever (re)publish a network-based vulnerability scanner for self hosting.. :)