Video

To my knowledge any Fortigate with hardware acceleration chipset can offload IPSec unless disabled. ADVPN just has an additional extension and should still offload to NPx…

Maybe someone knows more about this and can show us with hardware 300x hardware…

@@rjnasr8078 😬 hey bro, to be honest, I’m not yet loyal to either one of them, but I want to give EVE a chance for a while…

@@staticroute I had a lot of issues with GNS3 and it was very time consuming. So far eve-ng seems to be smoother.

​​⁠I noticed the same thing but both on EVE and GNS3, in my case configs that works one moment stop working for no reason, turns out it was related to device license status, if it turns to ‘invalid’, then all hell breaks loose…be on the lookout for that

Hey there, you're probably looking for something like ADVPN, I'm uploading a video on that very topic right now, should publish in a few hours. ADVPN improves on Dialup VPNs by enabling spokes to make on-demand connections to each other therefore literally achieving "full-mesh". In the video, I setup BGP with Hub as route reflector, in the case of OSPF, the config is a tiny bit different...please check it out, I'd be interested to know if it's what you're looking for.

@@staticroute Finally i could fix it, no ADVPN needed. Well on the HUB, Phase2 Selectors is Local and Remote 0.0.0.0 0.0.0.0 and i had to delete static routes toward the branches, cause Only if the Interface Name in the routes is with "_0" or "_1" etc. it knows to which tunnel the traffic needs to go, if there is a static route on the Hub toward the branches the interface in the route not has "_0" in it, so it can`t know which peer it should take On the Branches, the Phase2 Selector is local the local Subnets and Remote is also just 0.0.0.0 0.0.0.0, cause Fortinet can handle that.

I will certainly look into it shortly...thank you ..

Hey Lorenzo, the big idea with this lab was eBGP, weight doesn't get exported out to eBGP peers, it doesn't even get exported to local peers within the AS because it's locally significant to the router. Unlike LocalPref, which can atleast propagate within the AS. I'm actually going to post a follow up video on BGP soon based on a lot of interest I'm seeing on this topic...I hope I've answered you..?

@@staticroute You definitely have, thank you - looking forward to that next video!

Thank you

I think of the loopback interface the same as VLAN interface,they’re both logical interfaces

Hey Thiago, were you satisfied with the answer?

Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?

@@staticroute seems particularly high in this video but I'd prefer none at all.

Better pls proceed without background music

Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼

Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer

you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video

@@staticroute Thank you

please create one sir ​@@staticroute

Thank you very much 😀🤟

Yes it is, it turns out that’s how it works and I suppose it does make sense

Yes absolutely..

I’m probably doing that one next..

@staticroute

remote firewalls present their "local-id", which we set to ftg02 and ftg03 on each site plus the psk. FTG01 will be expecting these specific Peer-IDs so they have to match. FTG01 is like domain controller with user accounts, etc, and local-id is like username, psk being the password. it works in the same way with certificates

@@staticroute ok budy, now i got it, make all sense right now for me, thank you so much

Ah man I’m so happy this has been of value, let’s keep at it…

ok so the VTI's stay the same always when you reload .. Is that correct? ..

That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate: config router bgp set as 100 set router-id 1.1.1.1 set recursive-next-hop enable config neighbor-group edit "remote-fw" set remote-as 100 next end config neighbor-range edit 1 set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to. set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW. set neighbor-group "remote-fw" next end

There's a similar config here: community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127

Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as set ipv4-start-ip 10.215.1.1 set ipv4-end-ip 10.215.1.250 set ipv4-netmask 255.255.255.0 and then defined the prefix as set prefix 10.215.1.0 255.255.255.0 Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way. I'm trying to make sense of the below config, I can add the max-neighbor command . config router bgp set as 65410 set router-id 10.20.41.1 set ibgp-multipath enable config neighbor-group edit "SPOKE_ISP_1" set interface "TUN_INET_ISP1" set remote-as 65400 set update-source "TUN_INET_ISP1" set route-reflector-client enable next edit "SPOKE_ISP_2" set interface "TUN_INET_ISP2" set remote-as 65410 set update-source "TUN_INET_ISP2" set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_1" next edit 2 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_2" next end

Yea I’m definitely doing a video on that soon…

Thank you

@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀

In our example, we don’t require the use of routing protocols, so the tunnel interface doesn’t need an ip address.

@@staticroute can you please make a video of dial UP ipsec with BGP? If already have the video please share link.

I’m publishing that video today, thank you for the suggestion..

Fortigate BGP over a Dialup VPN Site-to-Site Configuration czcams.com/video/-porUcCZhxE/video.html

I hope this is what you were looking for, let me know..

Sure thing! I have a plan for more videos on the topic

hey Anand, yes certainly, that is in fact part of an upcoming "Networking Fundamentals" series, I estimate I will only begin working on it near the end of the year...

From the fortigate packet flow perspective - dnat then to route lookup to snat order and where the session table fits in that. Thank u

@@AnandNarineI’m so glad you’re quiet right… about the order and I found this document to support your statement: docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading Session table is part of stage 3 - stateful inspection and session management, after traffic is forwarded and a 3-way handshake is complete and session established… Thank you for a great question…I had to double check it before answering 😅

Do u know if a policy lookup needs to be done to allow new traffic Before it gets entered into the session table?

@@AnandNarine yes correct, otherwise you won’t see that traffic in session table

Hi Anand It's Version 7.0.15

Glad it was helpful!

Hi @mrmendes4ever, I assume you have NAT-T enabled on the StrongSwan as well? From Fortigate try to run the following and observe output: 1. get vpn ipsec tunnel summary we are interested in status: selectors(total,up).. 2. diagnose sniffer packet any 'host x.x.x.x' 4 we want to see bidirectional IKE exchange, be sure to use the public address of the StrongSwan. 3. diagnose vpn ike gateway list name "tunnel-name" or simply diagnose vpn ike gateway list if there's only 1 tunnel The idea is to see what status phase 1 tunnel is in: connecting or Established. Then we can take it from there..

Assuming the 2 devices are in fact correctly exchanging IKE and UDP/500 UDP/4500 and ESP are not blocked anywhere, try this to see what the peers are disagreeing on: - diagnose debug application ike -1 observe the output and hopefully this leads us to the root cause. Best of luck!

Thank you!

Thank you @Rejo-ni3hz, I try to be rooted in theory but apply practical application so that anyone can easily understand, I’m glad the content is achieving that…😀 thank you for being part of this community..

It’s part of the schedule, will definitely be doing that soon

@@staticroute awesome thanks.

I’m real happy this content is useful, I am working to create more….so more will be coming!

please do a full course on udemy

Hi Ahmed, thank you for being part of our community! about this command...I've seen it around but I have no experience personally using it...thanks for this..I'm going to check it out for sure :-D

I have two IPsec tunnel using two different ISP. I would like to manipulate the outgoing and incoming traffic through specific tunnel using BGP. Can you please provide the configuration ?

@@VishnuK-br7ee Hi Vishnu, This article may be useful: community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-modify-route-preference-using-Local/ta-p/305018 so for inbound traffic, the best way might just be to work with your ISP to edit the attributes on their end being advertised to you. Also keep in mind the default BGP behavior like this: community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932

@@staticroute IPsec tunnels between site to site not with ISP.

@@VishnuK-br7eehey Vishnu, try to please draw it and indicate clearly what you would like us to achieve…share on Google docs or Dropbox, etc I promise I’ll have a look

Hi Muhammad, thank you for tuning in and being part of our little community..to answer your question, I'm not yet ready for that but it is definately the plan.

Hi sis, thank you 🤣

This particular video is up for a redo, I definately plan to go deeper on SDWAN because there’s so much to it

You're very welcome!

Thank you for being part of our Static Route community…

I’m preparing more content as part of my re-certification journey and I’m happy its useful to you as well 🙏🏽