Hi Sir Thank you very much for the above video, Very helpful. I am having challenges with setting up the SSL VPN in AWS hosted FortiGate instance. Would you be available to assist.
@staticroute6 күн бұрын
Hey Kuda On your ssl settings, confirm which port your Fortigate is listening on, then check if the security group that your WAN ENI belongs to has that port allowed.
@staticroute6 күн бұрын
This is a most common issue, let me know either way..
@kudakwashemujiri66216 күн бұрын
@@staticroute Hi Sir, Thank you very much for reaching back, I appreciate it. I am checking on the above and will revert back shortly.
@kudakwashemujiri66216 күн бұрын
Hi Sir, it worked like a charm, Thank you very much.
@kudakwashemujiri66216 күн бұрын
Now I have one question, on my interfaces, for this to work, do I need to configure my LAN interface with dhcp like how we normally do it onprem and also do I need to change the role for my public subnet interface to WAN?
@waheedahmed35113 күн бұрын
where u have used username/group(authenciation) on spokes Fortigates...
@GavinScruton15 күн бұрын
This is a great video! Thank you very much! What router/node did you use for the "Internet" as I am trying to create a lab like this but battling to create the "false" internet. Thanks again!
@staticroute15 күн бұрын
Hey Gavin, it’s just 3 Cisco routers sharing routes using OSPF between themselves, the other one at the bottom is Out of band management…basically my home network so I can connect using GUI, going forward, I’ll zip and share all configs to the labs
@GavinScruton15 күн бұрын
@@staticroute Thank you very much!
@yanivaloosh459727 күн бұрын
Can you please share the Cisco routers configuration?
@staticroute17 күн бұрын
hey there, unfortunately up until now I don't keep the configs once I'm done with the video. However, I will be releasing more videos focussed on advanced routing with Cisco routers. But going forward I will upload to Github all config files :-D
@Cut-rawАй бұрын
Hi SR, thanks for the video! Straight to the point. SSL VPN is disabled/hidden by default in the newest firmware. Can you make a video on the topic and why we should use IPSEC Remote access instead of SSL VPN?
@staticrouteАй бұрын
In this video we built SSL VPN and used Active Directory to authenticate the remote users instead of creating local accounts on the Firewall.
@GurpinderSingh3Ай бұрын
39:54 how it is possible you have duplicate route on sdwan and non sdwan interfaces. you should have deleted routes to tun1 and tun2 before you created route for sdwan
@staticrouteАй бұрын
Hey friend, apart from the fact that your overlay technologies will always require for underlay to have valid routes to the destinations, in SDWAN, a member that does not have a valid route to the destination will be ignored by SDWAN. As it happens I think it’s time to review and do a new video on the topic, I’ll drop you a message to let you know when it’s ready.
@GurpinderSingh3Ай бұрын
if we have configure 2 ipsec sdwan tunnels how do we set tunnel monitoring?
@staticrouteАй бұрын
Hi there, excellent question, thank you.... check this out: docs.fortinet.com/document/fortigate/7.4.0/new-features/670140/multiple-interface-monitoring-for-ipsec-7-4-1
@GurpinderSingh3Ай бұрын
@@staticroute Thanks 🙌
@activelearner9924Ай бұрын
hey can i use this cloud based firewall to protect my home isp router and monitor that traffic?
@staticrouteАй бұрын
short answer....for home use you're better of with a free enterprise-grade firewall that stays up-to-date with threat prevention, antimalware, etc like Sophos XG, check that out...
@soorajrajendran7128Ай бұрын
The best video I ever seen
@staticrouteАй бұрын
thank you very much ...
@AhmadSwailemАй бұрын
this is very interesting and helpful, Thank you for the share! keep up the good work.
@staticrouteАй бұрын
thank you, there are certainly more videos coming up in the near future!!
@joyantadebnath27972 ай бұрын
Where did you got those licences?
@staticroute2 ай бұрын
It’s really hard to work with Fortigates because of licensing limitations, I don’t have licenses either. The images work for a short time, then they stop working for no reason 😃
@Dream240242 ай бұрын
Do i need port forwarding for thus configration or they can work without ? Becoz we are behined nat in each site
@staticroute2 ай бұрын
You should try with just NAT traversal and use outside addresses, I think port forwarding might break your VPN
@jcmoscosop2 ай бұрын
Great video! Now, could you make a lab on a secure redundant topology using BGP over VPN IPSEC tunnels?
@staticrouteАй бұрын
thank you...and yes I'm certainly planning on it, plus there are several ways to achieve that. I will be putting together a lab in the near future on this topic
@juan53922 ай бұрын
Please, make more videos!. Your explanations are very good 😭
@staticroute2 ай бұрын
@@juan5392 most certainly..! Thank you.
@danielcampbell60592 ай бұрын
Can you explain what the purpose of creating the user and group on the HUB, if there its not entered anywhere on the spoke routers?
@staticroute2 ай бұрын
This config is not as straight as one would hope, but the spokes do use their hostname/local-id as username and the PSK as the password. It' not a simple username|password combination..check it here: docs.fortinet.com/document/fortigate/7.4.4/administration-guide/6896/fortigate-as-dialup-client
@doom9862 ай бұрын
Great video and helped me alot setting things up. Question: can you do this but bgp on loopback interface so there would be no need to configure tunnel interface. Some Fortinet guides seem to suggest using loopback interfaces..?
@staticroute2 ай бұрын
That should be possible, when you enter into "config neighbour" BGP hierarchy, you are able to specify interface to associate with BGP as well as update source. I haven't done this type of deployment myself and I won't be able to lab it up anytime soon because I deleted this lab...annoying Fortinet license expiry issue, please give it a shot and let me know...
@doom9862 ай бұрын
Yeah I think I'll try to lab it at somepoint. Maybe it's more for larger networks/mssp's and not really an issue for us. I was just thinking that since i'm doing greenfield advpn/bgp setup would be better to do it with loopback from the start and make it more futureproof. Also I was looking at the 7.4 docs and there are some new features like active dynamic BGP neighbor triggered by ADVPN shortcut. I hope you can do more videos in the future👍👍
@npham11982 ай бұрын
Wouldn’t this prevent IPsec from being offloaded on anything less than a 400F?
@staticroute2 ай бұрын
To my knowledge any Fortigate with hardware acceleration chipset can offload IPSec unless disabled. ADVPN just has an additional extension and should still offload to NPx…
@staticroute2 ай бұрын
Maybe someone knows more about this and can show us with hardware 300x hardware…
@Rejo-ni3hz3 ай бұрын
@staticroute can you do DLP policy and acme certificate policy
@rjnasr80783 ай бұрын
Hey .. Upgrading to Eve-NG .. nice to see.
@staticroute3 ай бұрын
@@rjnasr8078 😬 hey bro, to be honest, I’m not yet loyal to either one of them, but I want to give EVE a chance for a while…
@rjnasr80783 ай бұрын
@@staticroute I had a lot of issues with GNS3 and it was very time consuming. So far eve-ng seems to be smoother.
@staticroute2 ай бұрын
I noticed the same thing but both on EVE and GNS3, in my case configs that works one moment stop working for no reason, turns out it was related to device license status, if it turns to ‘invalid’, then all hell breaks loose…be on the lookout for that
@rjnasr8078Ай бұрын
@@staticroute I thought I sent out a response to this ages ago. Yes I also had some weird stuff happening and have to start from scratch. Hope you're well.
@staticroute3 ай бұрын
ADVPN is an enhancement to dialup VPNs that allows Spoke to Spoke VPNs to dynamically form on demand, therefore virtually achieving a full mesh VPN with just a single IPSec VPN configuration. The auto-discovery packets exchange between sender (Hub) and receiver (Spokes) make this possible through shortcut messages! the biggest advantage is simplified routing whether you choose to use BGP or OSPF, the config remains relatively simple! Enjoy!
@swissactiontv51283 ай бұрын
I have similar situation, but i have the problem, that with 2 Peers, only one stay online, second is disconnected, if other shows activity the active peer changes, like only one Peer can stay online?
@staticroute3 ай бұрын
Hey there, you're probably looking for something like ADVPN, I'm uploading a video on that very topic right now, should publish in a few hours. ADVPN improves on Dialup VPNs by enabling spokes to make on-demand connections to each other therefore literally achieving "full-mesh". In the video, I setup BGP with Hub as route reflector, in the case of OSPF, the config is a tiny bit different...please check it out, I'd be interested to know if it's what you're looking for.
@swissactiontv51282 ай бұрын
@@staticroute Finally i could fix it, no ADVPN needed. Well on the HUB, Phase2 Selectors is Local and Remote 0.0.0.0 0.0.0.0 and i had to delete static routes toward the branches, cause Only if the Interface Name in the routes is with "_0" or "_1" etc. it knows to which tunnel the traffic needs to go, if there is a static route on the Hub toward the branches the interface in the route not has "_0" in it, so it can`t know which peer it should take On the Branches, the Phase2 Selector is local the local Subnets and Remote is also just 0.0.0.0 0.0.0.0, cause Fortinet can handle that.
@esmatullahjalali34743 ай бұрын
Thanks for the Video. It is very Helpfull. I would be appreciate if you can upload a video of how we can deploy Fortigate in HA mode and Load Balancer, because the deployment is a little bit tricky.
@staticroute3 ай бұрын
I will certainly look into it shortly...thank you ..
@LorenzoLukas-s7z3 ай бұрын
Could you clarify why weight is not scalable? Great vid btw!
@staticroute3 ай бұрын
Hey Lorenzo, the big idea with this lab was eBGP, weight doesn't get exported out to eBGP peers, it doesn't even get exported to local peers within the AS because it's locally significant to the router. Unlike LocalPref, which can atleast propagate within the AS. I'm actually going to post a follow up video on BGP soon based on a lot of interest I'm seeing on this topic...I hope I've answered you..?
@LorenzoLukas-s7z3 ай бұрын
@@staticroute You definitely have, thank you - looking forward to that next video!
@ryancheungkkable3 ай бұрын
Will use it in our production environment soon
@funmemes59153 ай бұрын
This is the greatest tutorial for the BGP configuration in KZbin. Sound and Clear. Thanks for your time and effort.. Cheers!!!!
@sandunsulochana36713 ай бұрын
Superb.
@staticroute3 ай бұрын
Thank you
@thiagoferreira053 ай бұрын
Sorry to bother you, but I can't understand in the beginning the way the loopback interface flows data, how was it possible?
@staticroute3 ай бұрын
I think of the loopback interface the same as VLAN interface,they’re both logical interfaces
@staticroute3 ай бұрын
Hey Thiago, were you satisfied with the answer?
@ahmednabil2641Ай бұрын
@@staticroute He ment how it's pingable and it private ip address, have you configure VIP for LOOPback interface to be reachable!!
@eoghancullen3 ай бұрын
Thanks man. Appreciate all your work, find the background music distracting though.
@staticroute3 ай бұрын
Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?
@eoghancullen3 ай бұрын
@@staticroute seems particularly high in this video but I'd prefer none at all.
@SelvaKumar-rl5wn3 ай бұрын
Better pls proceed without background music
@staticroute3 ай бұрын
IPSec VPN over loopback interface is an increasingly popular deployment because of its many benefits, including ability to control preferred primary and secondary paths leveraging the link monitor config for dynamic failover...this improves the reliability and stability of VPN tunnels significantly!!
@imranxkamal55223 ай бұрын
Please lower the background music
@staticroute3 ай бұрын
Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼
@imranxkamal55223 ай бұрын
Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer
@SelvaKumar-rl5wn3 ай бұрын
@ Thanks for the video. I have one doubt here . What's the different bw link Monitor and sdwan. I hope sdwan also do the link failure based on jitter and packet loss . I am not much aware,if you clear will be good for my understanding
@staticroute3 ай бұрын
you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video
@SelvaKumar-rl5wn3 ай бұрын
@@staticroute Thank you
@Rejo-ni3hz3 ай бұрын
please create one sir @@staticroute
@staticroute3 ай бұрын
Fortinet's implementation of IP SLA is really awesome, I'm interested to know how popular this is in your deployments, please put a comment and let us know if you are keen to use it if you aren't already...
@pouyasaberi33593 ай бұрын
Thanks. You have explained so simple
@phutapongsuanyim3 ай бұрын
I very like how you teach , the content is hard but you can made it look easier and your accent is clear to understanding for asian people who not know so many vocabulary like me. Thank you❤
@staticroute3 ай бұрын
Thank you very much 😀🤟
@phutapongsuanyim3 ай бұрын
Is that id with strange no. from the local-in policy ?
@staticroute3 ай бұрын
Yes it is, it turns out that’s how it works and I suppose it does make sense
@rjnasr80783 ай бұрын
Can you use this as a backup to a static IPSec VPN ?
@staticroute3 ай бұрын
Yes absolutely..
@julespatrick21254 ай бұрын
Thanks very much for the video. Very useful as I'm starting working on the Fortigate. What's the next video, please?
@jayanvv-oi8hp4 ай бұрын
Please do a video about packet flow on fortigate
@staticroute4 ай бұрын
I’m probably doing that one next..
@MrSatadal4 ай бұрын
Awesome
@thiagoferreira054 ай бұрын
Hey man very nice to share with us, but I saw you created user and group for authentication proposal on Hub, but I can't see you use it for ftg2 and 3, how does it works and why don't you set it on remote ftg?
@thiagoferreira054 ай бұрын
@staticroute
@staticroute4 ай бұрын
remote firewalls present their "local-id", which we set to ftg02 and ftg03 on each site plus the psk. FTG01 will be expecting these specific Peer-IDs so they have to match. FTG01 is like domain controller with user accounts, etc, and local-id is like username, psk being the password. it works in the same way with certificates
@thiagoferreira054 ай бұрын
@@staticroute ok budy, now i got it, make all sense right now for me, thank you so much
@rjnasr80784 ай бұрын
Nice job, you must have read my mind! .. I was about to ask you about this. I was wondering the dynamic IP addresses used as VTIs for BGP at the spoke will change every time you reload ?
@staticroute4 ай бұрын
Ah man I’m so happy this has been of value, let’s keep at it…
@rjnasr80784 ай бұрын
ok so the VTI's stay the same always when you reload .. Is that correct? ..
@staticroute4 ай бұрын
That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate: config router bgp set as 100 set router-id 1.1.1.1 set recursive-next-hop enable config neighbor-group edit "remote-fw" set remote-as 100 next end config neighbor-range edit 1 set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to. set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW. set neighbor-group "remote-fw" next end
@staticroute4 ай бұрын
There's a similar config here: community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127
@rjnasr80784 ай бұрын
Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as set ipv4-start-ip 10.215.1.1 set ipv4-end-ip 10.215.1.250 set ipv4-netmask 255.255.255.0 and then defined the prefix as set prefix 10.215.1.0 255.255.255.0 Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way. I'm trying to make sense of the below config, I can add the max-neighbor command . config router bgp set as 65410 set router-id 10.20.41.1 set ibgp-multipath enable config neighbor-group edit "SPOKE_ISP_1" set interface "TUN_INET_ISP1" set remote-as 65400 set update-source "TUN_INET_ISP1" set route-reflector-client enable next edit "SPOKE_ISP_2" set interface "TUN_INET_ISP2" set remote-as 65410 set update-source "TUN_INET_ISP2" set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_1" next edit 2 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_2" next end
@jayanvv-oi8hp4 ай бұрын
Could you please share packet flow in fortigate firewall
@staticroute4 ай бұрын
Yea I’m definitely doing a video on that soon…
@staticroute4 ай бұрын
This has been a definate learning experience for me making this video....again 😀 I want to thank @oinkersable for spotting an issue with the video...which is now rectified... The video covers: 1. Basic Dialup VPN 2. How to use Mode-config (DHCP for tunnel interfaces) 3. Basic Fortigate tests and verifications 4. BGP! Enjoy!
@MrSatadal4 ай бұрын
Thank you
@staticroute4 ай бұрын
@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀
@dineshkomakula30014 ай бұрын
Aws cloud networking
@staticroute4 ай бұрын
If you'd like to quizz yourself on this topic, check it out here: courses.staticroute.io
@staticroute4 ай бұрын
Inter-vlan routing lab, this config is useful when you need to aggregate switch ports, which is almost always recommended! Enjoy and as always, I'm happy to hear your thoughts!
@MrSatadal4 ай бұрын
In FGT 01 Where to define dialup client Tunnel IP range?
@staticroute4 ай бұрын
In our example, we don’t require the use of routing protocols, so the tunnel interface doesn’t need an ip address.
@MrSatadal4 ай бұрын
@@staticroute can you please make a video of dial UP ipsec with BGP? If already have the video please share link.
@staticroute4 ай бұрын
I’m publishing that video today, thank you for the suggestion..
@staticroute4 ай бұрын
Fortigate BGP over a Dialup VPN Site-to-Site Configuration kzbin.info/www/bejne/Y6HSo4iZeL-brqc
@staticroute4 ай бұрын
I hope this is what you were looking for, let me know..
@hamada994574 ай бұрын
Your video it's really helpful. We wanna more videos on Tshoot thank you
@staticroute4 ай бұрын
Sure thing! I have a plan for more videos on the topic
@AnandNarine4 ай бұрын
Great videos. Can you please do a "Life of a Packet" video?
@staticroute4 ай бұрын
hey Anand, yes certainly, that is in fact part of an upcoming "Networking Fundamentals" series, I estimate I will only begin working on it near the end of the year...
@AnandNarine4 ай бұрын
From the fortigate packet flow perspective - dnat then to route lookup to snat order and where the session table fits in that. Thank u
@staticroute4 ай бұрын
@@AnandNarineI’m so glad you’re quiet right… about the order and I found this document to support your statement: docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading Session table is part of stage 3 - stateful inspection and session management, after traffic is forwarded and a 3-way handshake is complete and session established… Thank you for a great question…I had to double check it before answering 😅
@AnandNarine4 ай бұрын
Do u know if a policy lookup needs to be done to allow new traffic Before it gets entered into the session table?
@staticroute4 ай бұрын
@@AnandNarine yes correct, otherwise you won’t see that traffic in session table