I did configuration as you saw, one firmware version 6.4.0 and all works fin. But after two years I upgraded my fortigate to firmware version 7.2.0 and configure the same one more time. I have a problem. routing between VLANs dosn't work. what is wrong. MIKE HELP ME PLEASE.
We use Fortigate's at the office so I purchased a 40F for home so I could learn them. At home I've got around 6 or so VLAN's for things like VOIP, IOT, DATA, ISCSI and Management. I'm also a fan of HomeKit but want all IOT stuff separated. I've noticed that when I launch the homekit app alot of the HomeKit devices will say No Response. Then if I reboot the fortigate its all good for say half a day. Then it starts doing that again. If I force quite the HomeKit app and relaunch maybe 10 seconds later all the "No Response" devices will show up. I also noticed even though I have MDNS set to allow all to all I still get rule zero blocks on some but not all of the multicast data appears to be coming from IPV6 also. I haven't setup any IPV6 policies yet. Wondering if anyone else has ever had similar experiences. Prior to my Fortigate 40F I had a Ubiquiti Edge Router 4 with Multicast forward enabled. I never had any issues with Multicast forwarding and homekit visibility on the UI family. For switches I have a 16 Port POE Ubiquiti Switch and a 24 Port non POE Ubiquiti switch. They are set as layer 2 so router handles all the routing but are of course have the vlans configured on them.
Mike, useful video however you missed an important part! In Multitask rules you did DATA -> PRINTER however it didn't work for me. I have fixed it by also allowing reverse which is adding a second rule PRINTER -> DATA. If you don't add this then the printer will not be discoverable across the network for the specified VLAN.
That was super helpful, mega thanks !!! I have several SSID's to keep things segmented and the prints have their own. But printing to the printer this way has been a pain in the ass. I think you just provided me the solution. I haven't setup any VLANs, wondering if I should on my 60F. Appreciate this, thank you....take care.
First viewer of this channel. I was very impressed regarding to how the information was related. Basically in a summary way instead for others rambling along more than double the time frame to cover the same subject matter. Congrats very well done! I'm hooked and subscribed even before the end of the video even though I don't use Forninet, but UniFi devices and pfSense...no matter all routers are all basically the same.
How about creating multicast policies for VLANs inside a zone? If I try to create one, I don't see my VLANs in the source interface or destination interface fields. Please help.
Does it make a difference if they're FortiSwitch VLANs? I've got some security camera door phones that need to communicate with the PBX server and the NVR and the discovery between the two VLANs isn't working even with multicast policies turned on that should allow it. I'm just wondering if I missed a step. This is a 100F btw.
Hi, I'm new to fortigate, Can you make a video how to add fortiap to a vlan to have wifi into a vlan? I'm using a cisco 3750G, Fortigate 60E and forti ap 221c I would like to have same dhcp in vlan and wifi, Thank you
Wouldn't a rule allowing PRINTER to DATA inherently allow for a compromised printer to potentially scan, exploit, and move to a computer on the DATA network?
My exactly same thought. I understand about the idea of why you want them on a separated Vlan, but if you have that reverse, wouldn't that defeat the entire purpose? I think you only achieve a way of Isolating them if you have a breach by disabling that rule... I'm pretty sure I'm missing something important there. Also, I have the MAIN issue of users scanning to their computers from big printers.. how do you guys handle that?
I believe you are both correct to an extent, but I believe this video’s purpose is to show how to get STARTED, with an implicit understanding that the firewall admin will then go on to decide which of the security-related features/tools/options offered by the firewall that he wants to use. That selection is specific to the the particular users’ access requirements of the network(s), the requirements of the users’ particular devices, and the requirements of the particular printers. I’ve experienced that there can be a lot of variation in what the ports, protocols, and more that the manufacturers of the specific devices decided to use in their products’ multicast implementations, and there’s probably other sources of variation too. My non--professional network engineer understanding is: After verifying that AirPrint is working between the to vlans with no restrictions in the 2 policies, and with no restrictions in the 2 multicast policies as well in the way that the video shows, then one can begin to decide how to best take advantage of the firewall’s features and tools that are available as a result of putting the printer and the devices authorized to connect to it on two different VLANs (and their 2 different corresponding subnets). So for example, 1.) Block Internet access on the Ethernet port and also on the VLAN used by the printer. (This is more secure than having the printer on the same subject is the devices and just creating a policy to block Internet based on the printer’s MAC address and/or IP address, as both of those can be readily spoofed) 2.) modify all 4 of these policies (the 2 multicast and the two,ipv4 policies) to be as restrictive as possible while still enabling functionality in your particular use case.… -Allow only the particular ports and protocols that are needed in your specific setup, which you learn by monitoring the traffic when you printed something via air print from your specific devices to your specific printers (and good to also do some searching online) -Consider giving your printer a static IP address, and restrict the IP address range as much as possible on the printer’s VLAN, and/or other variations of this nature -Restrict the network traffic such that only specific devices can talk to the printer itself, and so the printer will only listen to those specific devices. You can use the DHCP reservations of the devices, but there’s other options that are better (disallow MAC address randomization… at least the kind that follows the official MAC address randomization sheme’s guidelines) protocol. -Use the network traffic scanning features offered by your FortiGate firewall. -…
Hi! I´m Maximiliano from Argentina and i´ve a FGT40C running v5.2.15,build766 with 2 FAP-321C and i´ve several issues trying to make work a Chromecast 2 with devices connected to the same Wireless Network. I try different configurations with no success... Can you help me??
How does this work with Zones? I want to allow printers in the office at my church to send multicast to another VLAN...but not all the VLANs. Right now I can only select INSIDE to ANY...
Very well explained video but i got a tricky question, fortios 6.2.3 on a 100F unit, i'm creating the vlans, setting up the ipv4 policies and yet, vlans can't talk to each other, they can't even ping the gateway. Not to mention going outside to WAN1/2 with the right policies. Anything else on the hardware switch which has set an ip address is good for internet/gateway ping, etc. What am i doing wrong ?
More data is necessary. Are you creating the VLANs on the FortiGate port that connects to a downstream device? Does the downstream device support VLAN tagging? Are those ports properly tagged etc?
@@FortinetGuru Thank you for your reply. Long story short is that i am trying to replicate a configuration made a few years ago and it was not done by me on a Fortigate 100D running 5.2.3. The hardware switch on the unit was configured with an ip address for management and then they created 4 vlans after that. Surely when the licence expired i bought a new one, a year ago and when i updated the firmware needed for the licence to work i stumbled into a problem and nothing worked. Downgraded and put them exactly back to work the same way. Now the client asked to fix a problem which needs a licence in order to work so we bought new units the fortigate 100F running 6.2.3 and i was trying to configure it back the same way the old ones were. In the old units i have ports 15 and 16 running 2 cables to a fortiswitch 348B in which i have vlans declared and all the good stuff.Those ports however are part of the hardware switch and in the GUI i can't see anything that points them as trunk ports. I imagine that on the new unit i need to also declare 2 ports as a trunk for the data to flow but i am not that used with fortigate vlans. I do have for testing a D-Link DGS-1210-52 in which i created the vlans and declared 2 ports for trunk. The ports that i use on this for the devices to connect to have declared vlans but the traffic is untagged. I've read so much info in the past two days and i am at that point that i am not sure if the configuration is good on any of the devices. I will try with a cisco switch just because it's easier to make the configuration for vlans and trunk ports. Thanks
Thank you Mike, we are migrating all the network printers to the new vlan. Great video. People like you make the internet fun.
Thanks for the kind words!
Thanks Fortigate Gur, I have learned why Multicast is disabled by default in fortigates. Love your videos!
Thank you for this video! Still watching the rest before sending questions. Attempting NSE4 soon.
Thanks for this video. I'll give this a shot.
Good video Mike, I darn solved a problem I didn't know I had.
Awesome
I did configuration as you saw, one firmware version 6.4.0 and all works fin. But after two years I upgraded my fortigate to firmware version 7.2.0 and configure the same one more time. I have a problem. routing between VLANs dosn't work. what is wrong. MIKE HELP ME PLEASE.
I literally got a ticket for someone having trouble printing while watching this video 🤣. Printers really are the devil. Thanks for the info!
We use Fortigate's at the office so I purchased a 40F for home so I could learn them. At home I've got around 6 or so VLAN's for things like VOIP, IOT, DATA, ISCSI and Management. I'm also a fan of HomeKit but want all IOT stuff separated. I've noticed that when I launch the homekit app alot of the HomeKit devices will say No Response. Then if I reboot the fortigate its all good for say half a day. Then it starts doing that again. If I force quite the HomeKit app and relaunch maybe 10 seconds later all the "No Response" devices will show up. I also noticed even though I have MDNS set to allow all to all I still get rule zero blocks on some but not all of the multicast data appears to be coming from IPV6 also. I haven't setup any IPV6 policies yet. Wondering if anyone else has ever had similar experiences. Prior to my Fortigate 40F I had a Ubiquiti Edge Router 4 with Multicast forward enabled. I never had any issues with Multicast forwarding and homekit visibility on the UI family. For switches I have a 16 Port POE Ubiquiti Switch and a 24 Port non POE Ubiquiti switch. They are set as layer 2 so router handles all the routing but are of course have the vlans configured on them.
Mike, useful video however you missed an important part!
In Multitask rules you did DATA -> PRINTER however it didn't work for me. I have fixed it by also allowing reverse which is adding a second rule PRINTER -> DATA. If you don't add this then the printer will not be discoverable across the network for the specified VLAN.
Thanks for sharing this knowledge!!
That was super helpful, mega thanks !!! I have several SSID's to keep things segmented and the prints have their own. But printing to the printer this way has been a pain in the ass. I think you just provided me the solution. I haven't setup any VLANs, wondering if I should on my 60F. Appreciate this, thank you....take care.
First viewer of this channel. I was very impressed regarding to how the information was related. Basically in a summary way instead for others rambling along more than double the time frame to cover the same subject matter. Congrats very well done! I'm hooked and subscribed even before the end of the video even though I don't use Forninet, but UniFi devices and pfSense...no matter all routers are all basically the same.
Thanks, that was very helpful!
How about creating multicast policies for VLANs inside a zone? If I try to create one, I don't see my VLANs in the source interface or destination interface fields. Please help.
Does it make a difference if they're FortiSwitch VLANs? I've got some security camera door phones that need to communicate with the PBX server and the NVR and the discovery between the two VLANs isn't working even with multicast policies turned on that should allow it. I'm just wondering if I missed a step. This is a 100F btw.
How would you recommend doing this if I am using Zones on my Fortigate
a followup to show how to troubleshoot and verify things are working would be neat.
Dude tell me, how to configure for example port 1 and port 2 see each other networks? (routes,policy)
Fortinet doesn't all Multicast policy rules between the same Zone like (INSIDE to INSIDE). How do you work around that limitation?
Hi, I'm new to fortigate, Can you make a video how to add fortiap to a vlan to have wifi into a vlan? I'm using a cisco 3750G, Fortigate 60E and forti ap 221c
I would like to have same dhcp in vlan and wifi, Thank you
Wouldn't a rule allowing PRINTER to DATA inherently allow for a compromised printer to potentially scan, exploit, and move to a computer on the DATA network?
My exactly same thought. I understand about the idea of why you want them on a separated Vlan, but if you have that reverse, wouldn't that defeat the entire purpose? I think you only achieve a way of Isolating them if you have a breach by disabling that rule...
I'm pretty sure I'm missing something important there.
Also, I have the MAIN issue of users scanning to their computers from big printers.. how do you guys handle that?
I believe you are both correct to an extent, but I believe this video’s purpose is to show how to get STARTED, with an implicit understanding that the firewall admin will then go on to decide which of the security-related features/tools/options offered by the firewall that he wants to use. That selection is specific to the the particular users’ access requirements of the network(s), the requirements of the users’ particular devices, and the requirements of the particular printers.
I’ve experienced that there can be a lot of variation in what the ports, protocols, and more that the manufacturers of the specific devices decided to use in their products’ multicast implementations, and there’s probably other sources of variation too.
My non--professional network engineer understanding is:
After verifying that AirPrint is working between the to vlans with no restrictions in the 2 policies, and with no restrictions in the 2 multicast policies as well in the way that the video shows, then one can begin to decide how to best take advantage of the firewall’s features and tools that are available as a result of putting the printer and the devices authorized to connect to it on two different VLANs (and their 2 different corresponding subnets).
So for example,
1.) Block Internet access on the Ethernet port and also on the VLAN used by the printer. (This is more secure than having the printer on the same subject is the devices and just creating a policy to block Internet based on the printer’s MAC address and/or IP address, as both of those can be readily spoofed)
2.) modify all 4 of these policies (the 2 multicast and the two,ipv4 policies) to be as restrictive as possible while still enabling functionality in your particular use case.…
-Allow only the particular ports and protocols that are needed in your specific setup, which you learn by monitoring the traffic when you printed something via air print from your specific devices to your specific printers (and good to also do some searching online)
-Consider giving your printer a static IP address, and restrict the IP address range as much as possible on the printer’s VLAN, and/or other variations of this nature
-Restrict the network traffic such that only specific devices can talk to the printer itself, and so the printer will only listen to those specific devices. You can use the DHCP reservations of the devices, but there’s other options that are better (disallow MAC address randomization… at least the kind that follows the official MAC address randomization sheme’s guidelines) protocol.
-Use the network traffic scanning features offered by your FortiGate firewall.
-…
is the ipv4 policy really needed or could you just do the multicast policy? or i guess the ipv4 policy is for further security profiles??
I have enjoyed this video :)
Hi Mike, any experience with the "config wireless-controller bonjour-profile" feature you might be able to share?
Will add it to the list of things to make videos on.
"users are inherently stupid" hahahaha great video!
I configure only one rule. It's works fine but I can see the printers randomly. Is there anything more I can do?
Hi! I´m Maximiliano from Argentina and i´ve a FGT40C running v5.2.15,build766 with 2 FAP-321C and i´ve several issues trying to make work a Chromecast 2 with devices connected to the same Wireless Network. I try different configurations with no success... Can you help me??
How does this work with Zones? I want to allow printers in the office at my church to send multicast to another VLAN...but not all the VLANs. Right now I can only select INSIDE to ANY...
Let me lab it up and see what I can figure out
Would the multicast policy allow lease printers to communicate with vendors that need to track ink and paper usage?
You would need firewall policy to allow the devices to reach out to the vendor.
Very well explained video but i got a tricky question, fortios 6.2.3 on a 100F unit, i'm creating the vlans, setting up the ipv4 policies and yet, vlans can't talk to each other, they can't even ping the gateway. Not to mention going outside to WAN1/2 with the right policies. Anything else on the hardware switch which has set an ip address is good for internet/gateway ping, etc. What am i doing wrong ?
More data is necessary. Are you creating the VLANs on the FortiGate port that connects to a downstream device? Does the downstream device support VLAN tagging? Are those ports properly tagged etc?
@@FortinetGuru Thank you for your reply. Long story short is that i am trying to replicate a configuration made a few years ago and it was not done by me on a Fortigate 100D running 5.2.3. The hardware switch on the unit was configured with an ip address for management and then they created 4 vlans after that. Surely when the licence expired i bought a new one, a year ago and when i updated the firmware needed for the licence to work i stumbled into a problem and nothing worked. Downgraded and put them exactly back to work the same way. Now the client asked to fix a problem which needs a licence in order to work so we bought new units the fortigate 100F running 6.2.3 and i was trying to configure it back the same way the old ones were. In the old units i have ports 15 and 16 running 2 cables to a fortiswitch 348B in which i have vlans declared and all the good stuff.Those ports however are part of the hardware switch and in the GUI i can't see anything that points them as trunk ports. I imagine that on the new unit i need to also declare 2 ports as a trunk for the data to flow but i am not that used with fortigate vlans. I do have for testing a D-Link DGS-1210-52 in which i created the vlans and declared 2 ports for trunk. The ports that i use on this for the devices to connect to have declared vlans but the traffic is untagged. I've read so much info in the past two days and i am at that point that i am not sure if the configuration is good on any of the devices. I will try with a cisco switch just because it's easier to make the configuration for vlans and trunk ports. Thanks
So the Fortigate is also a router?
It can handle routing yes