my subscriptions
afroman_says 3 points

Hey /u/hamlen4,

I think you have a couple options:

  1. You can leave the APs configured for DHCP but assign DHCP reservations on the FGT. That way, if the APs ever rebooted, they could be guaranteed to get the same AP you reserved from the FGT.

  2. Not sure if you have a FortiAnalyzer or a syslog server, but you could look for the "ap-leave" (or "ap-fail") action from those logs. I have not been able to confirm this but I'm pretty sure that log will tell you if the AP is no longer communicating with the FortiGate.

Edit: Confirmed the logs.

hamlen4 1 point

I do have a fotianalyzer and I'm probably vastly under-utilizing it! I will investigate, thank you for the quick response!

afroman_says 2 points

No problem. Look into using to creating an event monitor. What you are looking to do should be pretty straight forward to accomplish.

Ping back if you have questions.

hamlen4 1 point

I was finally able to set some time aside today to work on this. Works great, thanks again!

Load more comments
p00pdex 2 points

Maybe check with TAC?

hamlen4 1 point

Currently waiting for this system to be added to our Cisco account so I can do just that. I cross posted this in the VoIP subreddit and looks like I've received a good workaround: "You can use "authy" which is on both IOS & Android. Authy is a secure 2fa that has all the capabilities and more to google auth. You can have the same Authy account on multiple devices all in sync." Initial tests look promising.

chasingpackets 2 points

You can use "authy" which is on both IOS & Android. Authy is a secure 2fa that has all the capabilities and more to google auth. You can have the same Authy account on multiple devices all in sync.

hamlen4 2 points

Authy for the win! I just set this up on two of my own devices and it worked great! I don't see any reason why it won't work on my coworker's device as well. THANK YOU!

kqua 2 points

Thanks for the info, that all makes sense. Looks like one of the limitations of the BE4K platform. I don't have any suggestions for how to get around it, based on the link below, Cisco acknowledges only one portal admin per site.

hamlen4 2 points

Thanks! I may have come up with a workaround. I mentioned that this requires two factor authentication. I’m pulling this off with google authenticator on my phone. This is also new to me. Looks like there is a PC version. If I put this on a shared office PC then we would both be able to generate a code whenever needed.

Both of us will be in and out of this be4k quite often over the next couple of weeks as we get familiar with it. Sharing the code that can only be generated on my phone will get old fast.

This is all theory, need to test it out.

Load more comments
greenonetwo 3 points

93 years old means she was born around 1925. So she should appear on the 1930 and 1940 census. If you look at the census image you can see the county and district that they lived in. Sometimes you can see the street or city, or if it is rural, the nearest post office. At least you will be able to get the county that they were living in for the 1930 census. It is possible that they moved after her birth but it is also quite possible that they did not. If you can find the family in the 1920 census and determine that they are in the same place then most likely she was born wherever the 1930 census has them living. Then you need to google for the county and do the work to obtain a birth certificate from that county.

hamlen4 1 point

Thanks for the response. So here's the problem..... they always lived in MA. Never NH. It sounds like they were on a road trip to NH and she was born then. This is all new to my grandmother so she was taking it with a grain of salt. However, the 1930 census for the MA county in which they live in it confirms that she was born in NH. It strictly says "New Hampshire" under the place of birth column. But that's about all the info I have.

Scube909 2 points

Upgrading to what?

hamlen4 1 point

A new exchange 2013 server.

Scube909 1 point

Why 2013? Curious...

hamlen4 1 point

I believe it was something to do with money. To be honest, I don't handle the exchange side of the house. I'm in charge of maintaining the Fortimail. I'm still pushing Fortinet for answers, but I thought I'd throw the question out here as well.

I the time we are on Exchange 2013 it won't be long before it is end of life as well!

Load more comments
hamlen4 commented on a post in r/amazon
tauzeta 1 point

That takes about a minute. If you want to sell again, it won’t take much effort.

hamlen4 1 point

Same boat. I agree that it wouldn't take much effort to create a new email address in order to start selling again, but it's still a ridiculous request. I've had the same primary email address for 15 years. I use it for everything. My account was closed due to inactivity. Just re-enable it!!

hamlen4 1 point

After much trial and error by support, I finally got the right command:

#config vpn ssl settings 
#set login-timeout 180 

The default is 30. Max is 180.

pabechan 2 points

Pretty sure those timers are irrelevant if you're using your own 2FA system.
What about increasing remoteauthtimeout in config sys global?

hamlen4 1 point

I will investigate and let you know. Thanks!

eyre 3 points

So you have a static username that is not variable that you want all iPads with this configuration to use? I have not done this with a WiFi config, but I HAVE done it with other account types in MobileIron. If it lets you, try using $NULL$ in conjunction with the static username/password.

So it would be...

Username: actualusername$NULL$ Password: actualpassword$NULL$

Edit: Sorry didn't see your note on the password part.

Try something like this:

hamlen4 2 points

Yes, static username and password. I was not anticipating any of this variable requirements. I was expecting a blank text field for both in which I could type whatever I wanted.

I never would have thought to try what you suggested. I will give it a shot as soon as they are done setting up the wifi on their end. Thanks for the quick response!

eyre 3 points

See my edit, I added a screen shot that might help if you didn't see it already.

hamlen4 2 points

I finally got a chance to try this today, worked like a champ. Thanks again!

Load more comments
EnableNTLMv2 2 points

You can collapse all by right clicking any of the section tabs. I found this out by accident. I agree that it is annoying having all the sections open.

hamlen4 1 point

Genius! Never tried that before, thank you!

heygazeebo 2 points

I am running 5.6.3 on one set of Fortigates and 5.4 on another set. I spoke with Tac about this while reviewing a different problem and was told it would be fixed in 5.4.8 (which it was). I asked about the 5.6 branch and he said he thought 5.6.4 but that he wasn’t positive on that one.

hamlen4 1 point

I'll open a quick ticket with them as well. Thanks!

Load more comments
hamlen4 commented on a post in r/fortinet
hamlen4 6 points

I've had similar problems and I resolved it by telling the fortigate to use a different source ip for its connection to the analyzer. Maybe your 80CM is using its WAN IP for this connection and the FAZ doesn't know how to route to that IP? To change this:
config log fortianalyzer setting
set source-ip "X.X.X.X" <---- I'd try putting the LAN IP for your fortigate here

Jayteezer 2 points

Confirmed on the additional false positives - lasted a day here :)

hamlen4 1 point

Thanks, I do believe I had this set a while back and did get a bunch of false positives. Never ending battle of either allowing to much or blocking too much. I think I’m in good shape for right now.

hamlen4 3 points

Update: I tested the dictionary entry above and it appears to be working. We're good until someone who legitimately has the same name as our CEO starts emailing us. If this happens his emails will be dropped. Oh well!

Load more comments
hamlen4 commented on a post in r/fortinet
hamlen4 3 points

This sounds like something that I've done a few times recently. From my experience:
1) Create the VPN tunnel as interface based as opposed to policy based. This will create a new tunnel interface under your physical interface.
2) Create two addresses for your host. One under the VIP section and one under the standard section which will just be the real IP of your host. When you create the VIP assign it to the newly created tunnel interface.
3) Create a firewall policy from your inside network to the tunnel interface. Use the real address for your inside address. Enable NAT on this policy.
4) Create a firewall policy from your tunnel interface to your inside network. This policy will utilize the VIP. No need to enable NAT on this policy, the VIP takes care of it.

Hope this helps.

hamlen4 1 point

Thanks for the feedback everyone. It's been a while since I've tested, but I believe one problem I always had was DNS. I had to hit everything by IP as the VPN wasn't providing DNS. This test was done with the Forticlient, not the builtin ios vpn.

I honestly didn't spend much time on this part of it, just curious what everyone else is doing.

ModularPersona 4 points

Looks like your NAT exemption should be configured at a lower priority number so that it sits above the dynamic interface NAT.

nat (inside,outside) 1 source static .......

hamlen4 2 points

You are exactly correct. I accidentally discovered this when I was troubleshooting earlier. I just came on here to view responses and provide an update. As soon as I reversed the order of those two NAT statements everything worked. Thank you!

lolklolk 2 points

You could just edit the OP

hamlen4 2 points

Done, thank you. reddit newb.

Load more comments
hamlen4 commented on a post in r/fortinet
pabechan 6 points

You can also check from GUI: Security Profiles > Web rating overrides > Create new > put in the URL and press "lookup rating".

hamlen4 2 points

This is the method I typically use and it is working for me today. I tried doing a lookup directly from the fortiguard website and can confirm that I am also seeing issues.

49 Karma
29 Post Karma
20 Comment Karma

Following this user will show all the posts they make to their profile on your front page.

About hamlen4

  • Reddit Birthday

    September 18, 2015

Other Interesting Profiles

    Want to make posts on your
    own profile?

    Sign up to test the Reddit post to profile beta.

    Sign up