Hey Kuda On your ssl settings, confirm which port your Fortigate is listening on, then check if the security group that your WAN ENI belongs to has that port allowed.

This is a most common issue, let me know either way..

@@staticroute Hi Sir, Thank you very much for reaching back, I appreciate it. I am checking on the above and will revert back shortly.

Hi Sir, it worked like a charm, Thank you very much.

Now I have one question, on my interfaces, for this to work, do I need to configure my LAN interface with dhcp like how we normally do it onprem and also do I need to change the role for my public subnet interface to WAN?

Hey Gavin, it’s just 3 Cisco routers sharing routes using OSPF between themselves, the other one at the bottom is Out of band management…basically my home network so I can connect using GUI, going forward, I’ll zip and share all configs to the labs

@@staticroute Thank you very much!

hey there, unfortunately up until now I don't keep the configs once I'm done with the video. However, I will be releasing more videos focussed on advanced routing with Cisco routers. But going forward I will upload to Github all config files :-D

Hey friend, apart from the fact that your overlay technologies will always require for underlay to have valid routes to the destinations, in SDWAN, a member that does not have a valid route to the destination will be ignored by SDWAN. As it happens I think it’s time to review and do a new video on the topic, I’ll drop you a message to let you know when it’s ready.

Hi there, excellent question, thank you.... check this out: docs.fortinet.com/document/fortigate/7.4.0/new-features/670140/multiple-interface-monitoring-for-ipsec-7-4-1

@@staticroute Thanks 🙌

short answer....for home use you're better of with a free enterprise-grade firewall that stays up-to-date with threat prevention, antimalware, etc like Sophos XG, check that out...

thank you very much ...

thank you, there are certainly more videos coming up in the near future!!

It’s really hard to work with Fortigates because of licensing limitations, I don’t have licenses either. The images work for a short time, then they stop working for no reason 😃

You should try with just NAT traversal and use outside addresses, I think port forwarding might break your VPN

thank you...and yes I'm certainly planning on it, plus there are several ways to achieve that. I will be putting together a lab in the near future on this topic

@@juan5392 most certainly..! Thank you.

This config is not as straight as one would hope, but the spokes do use their hostname/local-id as username and the PSK as the password. It' not a simple username|password combination..check it here: docs.fortinet.com/document/fortigate/7.4.4/administration-guide/6896/fortigate-as-dialup-client

That should be possible, when you enter into "config neighbour" BGP hierarchy, you are able to specify interface to associate with BGP as well as update source. I haven't done this type of deployment myself and I won't be able to lab it up anytime soon because I deleted this lab...annoying Fortinet license expiry issue, please give it a shot and let me know...

Yeah I think I'll try to lab it at somepoint. Maybe it's more for larger networks/mssp's and not really an issue for us. I was just thinking that since i'm doing greenfield advpn/bgp setup would be better to do it with loopback from the start and make it more futureproof. Also I was looking at the 7.4 docs and there are some new features like active dynamic BGP neighbor triggered by ADVPN shortcut. I hope you can do more videos in the future👍👍

To my knowledge any Fortigate with hardware acceleration chipset can offload IPSec unless disabled. ADVPN just has an additional extension and should still offload to NPx…

Maybe someone knows more about this and can show us with hardware 300x hardware…

@@rjnasr8078 😬 hey bro, to be honest, I’m not yet loyal to either one of them, but I want to give EVE a chance for a while…

@@staticroute I had a lot of issues with GNS3 and it was very time consuming. So far eve-ng seems to be smoother.

​​⁠I noticed the same thing but both on EVE and GNS3, in my case configs that works one moment stop working for no reason, turns out it was related to device license status, if it turns to ‘invalid’, then all hell breaks loose…be on the lookout for that

@@staticroute I thought I sent out a response to this ages ago. Yes I also had some weird stuff happening and have to start from scratch. Hope you're well.

Hey there, you're probably looking for something like ADVPN, I'm uploading a video on that very topic right now, should publish in a few hours. ADVPN improves on Dialup VPNs by enabling spokes to make on-demand connections to each other therefore literally achieving "full-mesh". In the video, I setup BGP with Hub as route reflector, in the case of OSPF, the config is a tiny bit different...please check it out, I'd be interested to know if it's what you're looking for.

@@staticroute Finally i could fix it, no ADVPN needed. Well on the HUB, Phase2 Selectors is Local and Remote 0.0.0.0 0.0.0.0 and i had to delete static routes toward the branches, cause Only if the Interface Name in the routes is with "_0" or "_1" etc. it knows to which tunnel the traffic needs to go, if there is a static route on the Hub toward the branches the interface in the route not has "_0" in it, so it can`t know which peer it should take On the Branches, the Phase2 Selector is local the local Subnets and Remote is also just 0.0.0.0 0.0.0.0, cause Fortinet can handle that.

I will certainly look into it shortly...thank you ..

Hey Lorenzo, the big idea with this lab was eBGP, weight doesn't get exported out to eBGP peers, it doesn't even get exported to local peers within the AS because it's locally significant to the router. Unlike LocalPref, which can atleast propagate within the AS. I'm actually going to post a follow up video on BGP soon based on a lot of interest I'm seeing on this topic...I hope I've answered you..?

@@staticroute You definitely have, thank you - looking forward to that next video!

Thank you

I think of the loopback interface the same as VLAN interface,they’re both logical interfaces

Hey Thiago, were you satisfied with the answer?

@@staticroute He ment how it's pingable and it private ip address, have you configure VIP for LOOPback interface to be reachable!!

Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?

@@staticroute seems particularly high in this video but I'd prefer none at all.

Better pls proceed without background music

Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼

Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer

you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video

@@staticroute Thank you

please create one sir ​@@staticroute

Thank you very much 😀🤟

Yes it is, it turns out that’s how it works and I suppose it does make sense

Yes absolutely..

I’m probably doing that one next..

@staticroute

remote firewalls present their "local-id", which we set to ftg02 and ftg03 on each site plus the psk. FTG01 will be expecting these specific Peer-IDs so they have to match. FTG01 is like domain controller with user accounts, etc, and local-id is like username, psk being the password. it works in the same way with certificates

@@staticroute ok budy, now i got it, make all sense right now for me, thank you so much

Ah man I’m so happy this has been of value, let’s keep at it…

ok so the VTI's stay the same always when you reload .. Is that correct? ..

That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate: config router bgp set as 100 set router-id 1.1.1.1 set recursive-next-hop enable config neighbor-group edit "remote-fw" set remote-as 100 next end config neighbor-range edit 1 set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to. set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW. set neighbor-group "remote-fw" next end

There's a similar config here: community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127

Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as set ipv4-start-ip 10.215.1.1 set ipv4-end-ip 10.215.1.250 set ipv4-netmask 255.255.255.0 and then defined the prefix as set prefix 10.215.1.0 255.255.255.0 Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way. I'm trying to make sense of the below config, I can add the max-neighbor command . config router bgp set as 65410 set router-id 10.20.41.1 set ibgp-multipath enable config neighbor-group edit "SPOKE_ISP_1" set interface "TUN_INET_ISP1" set remote-as 65400 set update-source "TUN_INET_ISP1" set route-reflector-client enable next edit "SPOKE_ISP_2" set interface "TUN_INET_ISP2" set remote-as 65410 set update-source "TUN_INET_ISP2" set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_1" next edit 2 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_2" next end

Yea I’m definitely doing a video on that soon…

Thank you

@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀

In our example, we don’t require the use of routing protocols, so the tunnel interface doesn’t need an ip address.

@@staticroute can you please make a video of dial UP ipsec with BGP? If already have the video please share link.

I’m publishing that video today, thank you for the suggestion..

Fortigate BGP over a Dialup VPN Site-to-Site Configuration kzbin.info/www/bejne/Y6HSo4iZeL-brqc

I hope this is what you were looking for, let me know..

Sure thing! I have a plan for more videos on the topic

hey Anand, yes certainly, that is in fact part of an upcoming "Networking Fundamentals" series, I estimate I will only begin working on it near the end of the year...

From the fortigate packet flow perspective - dnat then to route lookup to snat order and where the session table fits in that. Thank u

@@AnandNarineI’m so glad you’re quiet right… about the order and I found this document to support your statement: docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading Session table is part of stage 3 - stateful inspection and session management, after traffic is forwarded and a 3-way handshake is complete and session established… Thank you for a great question…I had to double check it before answering 😅

Do u know if a policy lookup needs to be done to allow new traffic Before it gets entered into the session table?

@@AnandNarine yes correct, otherwise you won’t see that traffic in session table