THANK YOU! I spent 5 hours troubleshooting a site-to-site VPN between two Fortigates and had almost given up. The Phase 1 would come up but Phase 2 would not. I paused your video at the 9 minute mark when you suggested using IKE v2. My tunnel was on IKE v1 but I never considered this in my troubleshooting because I thought it was a Phase 1 setting. I switched the IKE version and everything came up! Now to watch the rest of your video :)
Can you please upload about the security basic configuration for fortinet devices? Something like the policy that all the router at least should be use. Thanks a lot for all your videos
Hiho, nice video, sad is Fortigate out of my budget. But you know what could be a "fun" video when you have this nice Lab anyways? Push OSPF to a different area over the IPSEC tunnel just because you can and it's fun. :D
very good video, Currently I have configured 2 IPsec between Fortigate, the tunnel is up but when I try to ping from Fortigate A to the LAN network on Fortigate B it can't. is this ping test mandatory from hosts under fortigate a?
Tell me as a professional what we should use fortigate for? I am a person who likes to do everything with mikrotik and I don't like UTMs. I want to know your opinion on this.
Hi Sohaib, from a professional stance FortiGate allows you to integrate firewall policy rules with user groups, besides being able to do stuff like UTM. You also have added security of MFA when it comes to accessing the network via a VPN. What makes FortiGate also very useful is the fact that you can create VDOMs and VRFs within VDOMs. In a nutshell a VDOM is just another instance of of the firewall so you can think of it as a virtual firewall running inside your actual firewall. This allows for great expansion especially in the ISP space where you may not want all policies to reside on a single plane. Last thing that makes it VERY good is true SD-WAN functionality when used with a FortiManager product as you can orchestrate SD-WAN configurations and policies from a single point separating the management plane from a single device. Which is a lot more scalable than traditional networking. MikroTik is an AWESOME router, but it does not do these functions a FortiGate firewall can do. I will still prefer using a MikroTik as my actual router though :) And if it comes to firewalling and SD-WAN then I will prefer putting down a FortiGate.
Yes it is possible to just setup encryption and routing for a single host as /32. You can also use natted addresses if that is some security requirement for your company. Usually done in instances with a subnet is potentially shared on both ends.
FortiGate IPSEC Docs:
docs.fortinet.com/document/fortigate/7.2.0/administration-guide/520377/ipsec-vpns
THANK YOU! I spent 5 hours troubleshooting a site-to-site VPN between two Fortigates and had almost given up. The Phase 1 would come up but Phase 2 would not. I paused your video at the 9 minute mark when you suggested using IKE v2. My tunnel was on IKE v1 but I never considered this in my troubleshooting because I thought it was a Phase 1 setting. I switched the IKE version and everything came up! Now to watch the rest of your video :)
Awesome! Can you do a video of how to create that diagram i think it pretty kool
Thank you...Very Informative!! Looking forward to watch more of your videos.. :)
Thanks mate. I have watched a couple videos and your explanation is better.
Many thanks - excellent video. 👏
Your amazing thank you for this!!!
Great video as always
thank you so much for helping, could you pleases show us how to config IPsec tunnel between cisco ASA and the FortiGate ,
Can you please upload about the security basic configuration for fortinet devices? Something like the policy that all the router at least should be use. Thanks a lot for all your videos
Hiho, nice video, sad is Fortigate out of my budget. But you know what could be a "fun" video when you have this nice Lab anyways? Push OSPF to a different area over the IPSEC tunnel just because you can and it's fun. :D
great video, thank you! can you please create one with setting ipsec tunnel between a FortiGate and mikrotik? thanks
very good video,
Currently I have configured 2 IPsec between Fortigate, the tunnel is up but when I try to ping from Fortigate A to the LAN network on Fortigate B it can't.
is this ping test mandatory from hosts under fortigate a?
Good Stuff.. pls let me know which open source software you used for network diagram..?
Thanks
what is meaning of minus one in command "diagnose debug app ike -1"
Tell me as a professional what we should use fortigate for? I am a person who likes to do everything with mikrotik and I don't like UTMs. I want to know your opinion on this.
Hi Sohaib, from a professional stance FortiGate allows you to integrate firewall policy rules with user groups, besides being able to do stuff like UTM. You also have added security of MFA when it comes to accessing the network via a VPN. What makes FortiGate also very useful is the fact that you can create VDOMs and VRFs within VDOMs. In a nutshell a VDOM is just another instance of of the firewall so you can think of it as a virtual firewall running inside your actual firewall. This allows for great expansion especially in the ISP space where you may not want all policies to reside on a single plane. Last thing that makes it VERY good is true SD-WAN functionality when used with a FortiManager product as you can orchestrate SD-WAN configurations and policies from a single point separating the management plane from a single device. Which is a lot more scalable than traditional networking. MikroTik is an AWESOME router, but it does not do these functions a FortiGate firewall can do.
I will still prefer using a MikroTik as my actual router though :) And if it comes to firewalling and SD-WAN then I will prefer putting down a FortiGate.
It really pisses me off when I see a workstation is blocked by fortigate when an important conference call is going on.
Is it even possible to add in the local LAN a single host subnet /32 rather than the whole subnet ?
Yes it is possible to just setup encryption and routing for a single host as /32. You can also use natted addresses if that is some security requirement for your company. Usually done in instances with a subnet is potentially shared on both ends.
Very poorly done. Never enable bar traversal across private networks.