Thanks 👍

Great suggestion! ill add that to the list!

Glad you liked it! What else would you like to see?

@@FortiBytes I really like the NAC one - people (me included) get confused about When to use FortiAuthenticator, and when to sell FortiNAC (Pros and Cons) main use case is LAN/WLAN 802.1x and the handling of guests. Fortiswitches are looking good, but most customers have Hardware already there they'd like to leverage. Sidenode: Does it make sense to you (recent CVE's etc) that you'd seperate the SSLVPN Interface on its own vdom ? - Heard something about that on Reddit

I’ll have a NAC-F (FortiOS) version video soon I’m just waiting on some new switches to make it more vendor neutral. In terms of ssl vpn on a separate vdom that’s not something I have seen in production but it does sound interesting. I have seen virtual IPs being used to point towards a loopback interface for ssl vpn that way more granular firewall policy’s can be applied and ztna tags. I think consultants and customers are trying to find ways of limiting making gates publicly accessible basically it’s impossible to achieve when you have remote vpn users but the above method certainly helps! + it’s another Forticlient/EMS sale!

Yes in most cases each customer would be a assigned a IP or IP Block and then on the FortiGate a "IP Pool" is assigned to ensure each customer NAT's out of a specfic IP range (So they are identifiable) The buisness model can be exactly as you described its purely due to scale instead of having thousands of smaller FortiGates why not have a "couple" of larger ones and just split the devices out like pieces of cakes, licencing costs are also per box also. Its also quite common for the customer to have have no "on-prem" firewall at all they are offten linked up to the larger devices via routing (VPLS/MPLS). Another + is because each "customer" has there own VDOM so moving them around the shared platform to potentially other FortiGate devices is relatively straight forward.

Yes I think that is a good topology. Keeps everything properly segmented from a routing and administration prospective. Just make sure you read up on inter vdom routing on a per model basis if I remembered correctly it’s not always hardware accelerated.

@@FortiBytes Oh that would be on a 3000f, I guess it will be hardware accelerated.

Lovely devices - docs.fortinet.com/document/fortigate/7.4.1/hardware-acceleration/851990/configuring-inter-vdom-link-acceleration-with-np6-processors

I'm afraid not! IoT comprises of devices such as refrigerators, cameras, and washing machines that are now internet-connected, frequently operating on Linux and posing potential security risks as attack vectors. On the other hand, OT, or Operational Technology, encompasses a broader spectrum, often involving production environments and critical infrastructure like power plants. Protecting OT is crucial, with the unique challenge that any disruption can halt a production line, incurring significant financial losses. The networking and communication dynamics in OT differ from those in IT. For instance, my experience involves extensive work in operational technology within manufacturing environments, such as car production or packaging plants. Traditionally, these devices operated offline, but there's a growing trend, encouraged by vendors, to connect them to networks. However, a significant drawback is their lack of robust security measures, often running outdated operating systems that are challenging to patch without causing downtime. Ill probally do a OT focused video and perhaps bring on some guests onto the channel.

@@FortiBytes Thank you!!! This is a nearly exact description of something I've been very concerned about and trying to solve for some time now!

If I can help let me know.

@@FortiBytes, much appreciated! Its more of a people & process change problem than a technical one.

ah layer 8 issue good luck!@@80211WiGuy