how do I point to the sso address in dns and point to the ssl-vpn portal

Will the NPS Extension for Azure MFA overtake the complete RADIUS-Server or how controll it?

They definitely didn’t know about that in Ironman . Great video thank you

Great video, thanks Matt. Was struggling a little to understand the topology of MCLAG and the split interface setting and this helped a lot. Cheers.

FYI - at 10:46, your Public IP is visible at the bottom of the "Your connections is not private" page

I see u enabling mc-lag via FortiSwitch CLI, but according to Fortinet documentation, they want us to do it this way: Assign the LLDP profile “default-auto-mclag-icl” to the ports that should form the MCLAG ICL in FortiSwitch unit 1. For example: FGT_Switch_Controller # config switch-controller managed-switch FGT_Switch_Controller (managed-switch) # edit FS1E48T419000051 FGT_Switch_Controller (FS1E48T419000051) # config ports FGT_Switch_Controller (ports) # edit port49 FGT_Switch_Controller (port49) # set lldp-profile default-auto-mclag-icl FGT_Switch_Controller (port49) # end FGT_Switch_Controller (FS1E48T419000051) # end I don’t know what is the difference, because in above example I don’t see them enabling mc-lag on a switch port which is connected to Fortigate. They only doing the ICL part, but not the fortilink part where the switch connects to the Fortigate. I am little confused here.

In environment where I have windows servers with 4 NIC teamed in one Team, and 2 of them are connected to first switch, and other 2 are connected to the second switch where switches are mclaged correctly, how mac tables should look like on both switches?

I have followed the process where but it is not working. Connecting stuck at 10% with vpn unreachable gateway

FYI, ya forgot to censor your public IP one time.

When is part 2 coming?

"Hello! Great video. I have a question: if you have multiple VPN connections, is it necessary to create a separate enterprise application for each IP address? Also, should I upload a different certificate for each one, depending on the VPN that the client chooses to connect with?

Let's go a new video! #first

Hi that was great video. But we are trying the same using Azure AD DS and configured Fortigate using ADDS Ldap. We need to configure same mfa using azure ad ds Please help

Thanks. How do you deny the bad IP addresses from reaching to SSL VPN?

Great vid. Question for authentication, do you have to use the authentication app or is there a way to setup user's to use calling or text as an option as well?

So as of now if someone wishes to roll out Fortigate SD-WAN with ZTP, template builds and the ability to monitor their Fortigate SDWAN overlay, what are the core components required? Obviously each site requires a Fortigate FW to act as an edge device. Do they also need Fortigate Orchestrator licensing to add Orchestrator functionality to Fortimanager? Do they require Fortianalyzer as an additional license to be accessed via Fortimanager?

there's something we aint seeing here. this configuration doesnt work as the SSL Loopback interface is unreachable even after doing the VIPs and fw policies. i went thru the community forum and folks pointed out this video too but ultimately is missing a few configurations

When will part 2 be ready? this is really interesting

Hey Matt, I've had a go at setting this up... It's working and I'm getting lots of hit on the FW policy. But no logs are showing up when I look for matching logs? Any ideas?

I think its better to first enable MCLAG ICL on both switches, and as second step enable MCLAG, then you wont lose your connection. Still very useful video!

Awesome video and super helpful. You can actually use external threat feeds with local-in policies. They can be used with a negate source option like any other address object.

We are looking at a full network refresh at my organization. I have many closets that are 3 or more traditional switch stacks. Each closet has redundant fiber to it running back to the data center. Like others have posted, how would I setup a closet with 6 switches in a FortiSwitch architecture. What about 7 switches?

Great video!

wow...very interesting, didn't know that and other features, thanks Matt! How you create your own CA certificate and install it on the FortiGate? Do you have any guides or videos for the EMS? I really like your content!

Nice work Matt, so you are keeping vpn establishment auth to un and cert based only but with limited access by fw policy until the user saml auths (captive portal?) and gets associated with a saml group that has more access?

Sweet!

Nicely done! looks very interesting.

I dont think you can have 4 switches in mclag, i am looking like crazy to find a solution for 4 switches

Great job Matt, nice to see it in action and for your other 2 vids on the subject. I had an SE tell me ipsec tunnels to connect to corp locations were not possible on SASE, which I couldn't accept as true :D , nice to know its not the case and is a usable solution. How do you find the speeds from the endpoints, was it 10Mb p/s per user bandwidth limitations on the basic SKU?

Hey Matt, aren't the security profiles on the vip policy useless? I mean the traffic is not inspected bei virtual server and is completely encrypted anyway, isn't it?

Thanks Matt, love your videos, learning from you a lot!🙏

Cheers Matt, any cpu performance concerns when using the virtual interface, does offloading still happen for loopbacks, sslvpn isnt offloadad afaik but in general like ipsec on a loopback?

Top tier as always! Thank you for the enlightening video!

Thanks Matt! learn a lot from you! please share more video of Fortinet solutions, Happy X-Mas!

Thanks, Matt!

Thanks, Matt! very interesting!

If like me you skipped ahead to the iphone part, it's worth noting that iPhone Shortcuts needs the SSL connection to be valid so certificate etc. required (using IP doesn't seem to work)

Awesome video, really helped out a lot. thank you!

Great video, ty very much Matt! please share more videos!

That's exactly what I was looking for this morning! No more texting folks to see if they've got a specific model of FortiGate to grab the default config from. One thing on this video, your audio level is really low so I had to crank the speakers.

Nice method of getting that config, thanks!

Thanks Matt!

Can you help me with this setup?

Great Video ! we were getting token codes before but since the implementation of 2MFA when I connected with forticlient for the first time it asked me for approval on MS authenticator but everytime after that it connects to Forti without any kind of approval because I am selecting check box"do not ask me for 30 days" unless I clear cookies from CMD .Though the script we have requires it to clear cookies automatically on every disconnct but this has not helped me with my user name specifically . any ideas on that ?

Great content, i would only suggest to increase the sound's volume!

Thank you very much! love your videos! learning a lot!

really interesting, ty very much!

Ignore the video, that just shows it working. The link is where the real instructions are.

Hi sir, I following the article, it work! Thanks a lot. But I need more help please. After that I tried OTP, NPS extension err code:Request_MISSING_CODE err msg: Request is missing OTP I didn't know what else I have to do.