วีดีโอ

Thank you

I think of the loopback interface the same as VLAN interface,they’re both logical interfaces

Hey Thiago, were you satisfied with the answer?

Hey, just curious and looking to improve things always, do you mean the background music volume is too high or you’d prefer no background music altogether?

@@staticroute seems particularly high in this video but I'd prefer none at all.

Better pls proceed without background music

Thank you very much, noted, yours is one of 2 comments about the background music, I appreciate it 👍🏼

Apologies, I should have started how good your tutorials are, very easy to understand and quite professionally edited. I'd appreciate if you do a video on advance BGP scenarios with route tags, route target, and how to use communities to accept routes and based on community route to specific peer

you're 100% right SDWAN does it's own link monitoring and I hope to cover that in later video

@@staticroute Thank you

please create one sir ​@@staticroute

Thank you very much 😀🤟

Yes it is, it turns out that’s how it works and I suppose it does make sense

Yes absolutely..

I’m probably doing that one next..

@staticroute

remote firewalls present their "local-id", which we set to ftg02 and ftg03 on each site plus the psk. FTG01 will be expecting these specific Peer-IDs so they have to match. FTG01 is like domain controller with user accounts, etc, and local-id is like username, psk being the password. it works in the same way with certificates

@@staticroute ok budy, now i got it, make all sense right now for me, thank you so much

Ah man I’m so happy this has been of value, let’s keep at it…

ok so the VTI's stay the same always when you reload .. Is that correct? ..

That's a critical point you're raising and the simple way to address that I think would be with the following config update on the DC fortigate: config router bgp set as 100 set router-id 1.1.1.1 set recursive-next-hop enable config neighbor-group edit "remote-fw" set remote-as 100 next end config neighbor-range edit 1 set prefix 172.16.100.0 255.255.255.0 ----->define the range as the VTI address scope, you can make this smaller if you need to. set max-neighbor-num 2 ----------> also this should probably match the number of peers you expect should peer with your DC FW. set neighbor-group "remote-fw" next end

There's a similar config here: community.fortinet.com/t5/Support-Forum/BGP-Neighbor-Ranges/m-p/290127

Thanks, could you please explain the neighbor-group and neighbor range configs? So if I defined the phase1 range as set ipv4-start-ip 10.215.1.1 set ipv4-end-ip 10.215.1.250 set ipv4-netmask 255.255.255.0 and then defined the prefix as set prefix 10.215.1.0 255.255.255.0 Does that mean the hub will setup a bgp neighbor for each ip it address it's allocated for the spokes ? Is there a way to control which ip address is allocated for which spoke and keep it that way. I'm trying to make sense of the below config, I can add the max-neighbor command . config router bgp set as 65410 set router-id 10.20.41.1 set ibgp-multipath enable config neighbor-group edit "SPOKE_ISP_1" set interface "TUN_INET_ISP1" set remote-as 65400 set update-source "TUN_INET_ISP1" set route-reflector-client enable next edit "SPOKE_ISP_2" set interface "TUN_INET_ISP2" set remote-as 65410 set update-source "TUN_INET_ISP2" set route-reflector-client enable next end config neighbor-range edit 1 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_1" next edit 2 set prefix 10.215.1.0 255.255.255.0 set neighbor-group "SPOKE_ISP_2" next end

Yea I’m definitely doing a video on that soon…

Thank you

@@MrSatadal for sure! I'm particularly interested to hear your thoughts about this config 😀

In our example, we don’t require the use of routing protocols, so the tunnel interface doesn’t need an ip address.

@@staticroute can you please make a video of dial UP ipsec with BGP? If already have the video please share link.

I’m publishing that video today, thank you for the suggestion..

Fortigate BGP over a Dialup VPN Site-to-Site Configuration th-cam.com/video/-porUcCZhxE/w-d-xo.html

I hope this is what you were looking for, let me know..

Sure thing! I have a plan for more videos on the topic

hey Anand, yes certainly, that is in fact part of an upcoming "Networking Fundamentals" series, I estimate I will only begin working on it near the end of the year...

From the fortigate packet flow perspective - dnat then to route lookup to snat order and where the session table fits in that. Thank u

@@AnandNarineI’m so glad you’re quiet right… about the order and I found this document to support your statement: docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading Session table is part of stage 3 - stateful inspection and session management, after traffic is forwarded and a 3-way handshake is complete and session established… Thank you for a great question…I had to double check it before answering 😅

Do u know if a policy lookup needs to be done to allow new traffic Before it gets entered into the session table?

@@AnandNarine yes correct, otherwise you won’t see that traffic in session table

Hi Anand It's Version 7.0.15

Glad it was helpful!

Hi @mrmendes4ever, I assume you have NAT-T enabled on the StrongSwan as well? From Fortigate try to run the following and observe output: 1. get vpn ipsec tunnel summary we are interested in status: selectors(total,up).. 2. diagnose sniffer packet any 'host x.x.x.x' 4 we want to see bidirectional IKE exchange, be sure to use the public address of the StrongSwan. 3. diagnose vpn ike gateway list name "tunnel-name" or simply diagnose vpn ike gateway list if there's only 1 tunnel The idea is to see what status phase 1 tunnel is in: connecting or Established. Then we can take it from there..

Assuming the 2 devices are in fact correctly exchanging IKE and UDP/500 UDP/4500 and ESP are not blocked anywhere, try this to see what the peers are disagreeing on: - diagnose debug application ike -1 observe the output and hopefully this leads us to the root cause. Best of luck!

Thank you!

Thank you @Rejo-ni3hz, I try to be rooted in theory but apply practical application so that anyone can easily understand, I’m glad the content is achieving that…😀 thank you for being part of this community..

It’s part of the schedule, will definitely be doing that soon

@@staticroute awesome thanks.

I’m real happy this content is useful, I am working to create more….so more will be coming!

please do a full course on udemy

Hi Ahmed, thank you for being part of our community! about this command...I've seen it around but I have no experience personally using it...thanks for this..I'm going to check it out for sure :-D

I have two IPsec tunnel using two different ISP. I would like to manipulate the outgoing and incoming traffic through specific tunnel using BGP. Can you please provide the configuration ?

@@VishnuK-br7ee Hi Vishnu, This article may be useful: community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-modify-route-preference-using-Local/ta-p/305018 so for inbound traffic, the best way might just be to work with your ISP to edit the attributes on their end being advertised to you. Also keep in mind the default BGP behavior like this: community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-route-selection-process/ta-p/195932

@@staticroute IPsec tunnels between site to site not with ISP.

@@VishnuK-br7eehey Vishnu, try to please draw it and indicate clearly what you would like us to achieve…share on Google docs or Dropbox, etc I promise I’ll have a look

Hi Muhammad, thank you for tuning in and being part of our little community..to answer your question, I'm not yet ready for that but it is definately the plan.

Hi sis, thank you 🤣

This particular video is up for a redo, I definately plan to go deeper on SDWAN because there’s so much to it

You're very welcome!

Thank you for being part of our Static Route community…

I’m preparing more content as part of my re-certification journey and I’m happy its useful to you as well 🙏🏽

Hey Kevin, for sure SD-WAN is not too far off..

Thanks for supporting the channel

Hi Selva, my recommendation is to register for free on the Fortinet website www.fortinet.com > Forticloud Login > Register and follow the process, fill out the registration form...it takes less than 2 minutes to complete and your new account is active immediately! Once registered and logged in, go to support.fortinet.com/Download/VMImages.aspx to download any image you want, my suggestion is to download [ FGT_VM64_KVM-v7.4.3-xxxx ] Fortinet now gives you FREE permament license, check out more information here: docs.fortinet.com/document/fortigate/7.4.3/administration-guide/441460

Hi Selva, That’s mainly for policy-based VPNs. So far we’re doing route-based VPN. Check out this video, inspired by your question.. IPSec VPN - Firewall Policy or Not? th-cam.com/video/bYljEf3QZ_M/w-d-xo.html

Hello @user-sc4gn4uh9h Thank you for supporting the channel, I appreciate your comments. Basically, your Branch wan1 and wan2 interfaces (Underlay) must already be working. If you have 2 tunnel interfaces (which will be your SDWAN underlay), they must also individually be working and capable of handling all branch traffic. That way, when you make them SDWAN members, they continue as normal. I suggest you test it out in GNS3 to see where it could be failing. If you need some help, send me a zoom invite we could look at your GNS3 setup and get that working.

Site-to-site IPsec tunnel interface doesn’t require ip address, remote networks are explicitly reachable over statically defined path that uses tunnel interface as exit interface together with policy to allow it. You don’t need anything more.

thank u@@staticroute

@@staticroute Could you please explain when the IP addresses are required.

@@rjnasr8078when the tunnel interface has an ip address, typically used with dynamic routing protocols…I’m preparing g a video on that very topic…I hope it will help..

@@staticroute Yes, Thank you. I am trying to understand all this as I have a situation where there are a number or VPN site-to-site links and I need to add another backup 4G link for each site. So I am trying to work out how to do this. In fact some sites will have a Starlink connection for wan1 and 4G for Wan2. I can't seem to find any info or topology on this kind of setup. I'm still waiting on a 40F with inbuilt 4G to be delivered but also I am wondering if I can just use a 4G modem connected to the FortiGate. I thought this type of setup will be very popular ? If you have any idea how to do this that would be great. Thanks again.