Author: andrewtravis

Fortinet Zero Trust Network Access (with SAML)

I love the goal of Zero Trust: don’t trust and continuously verify. It protects against extending the LAN to the remote PC connecting over the VPN, including preventing usage of personal devices by employees. It continuously checks the posture of the endpoint accessing an application. It doesn’t make the...

FortiExtender for Cellular Connectivity

I have wanted to play with our FortiExtender for a while and finally got my hands on the FEX-511F! FortiExtender is more than just a cellular wireless WAN device to use as a cellular connection for a site, but can also be used for out-of-band management of the site...

The Fortinet SD-WAN Overlay Template Wizard

I’ve been using a two year old SD-WAN/VPN/BGP config in my Fortinet home lab, adjusted over time to take advantage of new VPN and BGP templates in new FortiManager releases. But I hadn’t utilized our SD-WAN Overlay Template yet and wanted to see how it worked. The goal of...

FortiGate Internet Redundancy Designs

The topic of high availability Internet connectivity is a constant conversation I have with my customers and teammates and I finally thought it best to sit down and draw the various options. These options assume you have two FortiGates in HA (I don’t get into Active-Passive vs. Active-Active for...

Using FortiNDR to Detect Malicious Activity

In last month’s post, I wrote on how to send traffic into FortiNDR to detect malware and malicious activity. Since then I brainstormed how to pump a lot of malicious traffic through my network and ended up using a mix of FortiTester, AlphaSOC, nmap and malware samples. My goal...

Network Detection and Response

In a past life as a member of a Blue Team providing defensive security, I loved tapping critical points of the network and mirroring that traffic to an IDS, then to our SIEM so that we could detect malicious and anomalous behavior on the network.  Naturally I had to...

FortiZTP

In a past blog post, I blogged about the various zero touch and low touch provisioning options when setting up new FortiGates. Since then, Fortinet has released FortiZTP to simplify zero touch provisioning further than what FortiDeploy provided. FortiDeploy used FortiGate Cloud to point FortiGates to FortiManager, but it...

FortiGate BGP and SD-WAN

BGP and SD-WAN are like peanut butter and jelly — just better together. And given that a FortiGate has full-blown BGP routing capabilities in addition to its SD-WAN capabilities, it would make sense to use the two functions to share information with each other when steering traffic. To plagiarize...

FortiManager as FortiGuard Proxy

In a recent proof of concept, we needed to configure FortiManager and the FortiGates to work through a web proxy. We configured FortiManager to act as the FortiGuard proxy (or FortiGuard Distribution Server (FDS) in Fortinet-speak), that way we only had to modify the web proxy to permit FortiManager...

Fortinet SD-WAN Lab Setup (2023 Update)

Last year, I blogged about how I had built a SD-WAN lab for FortiGate and FortiManager demos. I wanted to better illustrate Branch deployments and in 2023 I rebuilt the lab with more Branch FortiGates. I’ve also upgraded my home lab from FortiOS 7.0 to 7.2, which introduced a...