FortiSASE onboard - On going

FortiSASE Cloud Security tunnel advanced settings

- turn on will cause reconnect all Endpoint

QR Code Generator with logo

A simple utility to generate QR codes that do not expire. One-time purchase. No subscriptions.

One-time purchase: USD 0.99

Download after purchase • Use forever • Works offline

Buy Now (USD 0.99)

Opens Payhip checkout in a new tab.

What you get

• One-time purchase, use forever
• No expiration on generated QR codes
• No account required
• No personal data stored or collected
• Works offline after download

Demo

Watch how it works:

Privacy

This tool does not require sign-in and does not store or collect personal data. Generated QR codes are created from the input you provide.

FAQ

Do the QR codes expire?
No. The QR codes generated by this tool do not expire.

Do I need internet to use it?
No. After download, the tool works offline.

Is it a subscription?
No. This is a one-time purchase (USD 0.99).

Refund policy

Due to the digital nature of this product, all sales are final. Refunds are only provided if the file is defective or cannot be downloaded.

Support

Support is provided on a best-effort basis and is limited to download or launch issues. Please include your order ID when contacting support.

---

Disclaimer: This software is provided “AS IS”, without warranty of any kind. You are responsible for verifying outputs before use. By downloading or using this software, you agree to these terms.

Buy Now (USD 0.99)

Things to know before migrate from SSLVPN to IPSec for FortiGate

Since FortiOS  going to obsolete SSLVPN from 7.6 onward,

Information

1. Ditch away the idea user group, it unable support user grouping like SSL VPN did. 
2. FSSO is a must for user grouping except local database, but FSSO has some restriction 
3. FSSO deploy with DC agent mode for better performance
4. Please test with your own mobile data, example I connect my office wifi and the office WAN IP  is use to peer with DC via IPSec, when test this remote access I always matched with the office IPSec profile.
5. If you have multiple IPSec dailup profile,  it could be matched to other IPsec profile that contain same phase-1 variable, especially the NAT-T option. Example, your Remote Access profile name F, FortiGate will try match the proposed variable from top to bottom (Profile A-F), let say the proposed proposal profile match variable at Profile C, firewall will take the NAT-T value at Profile C and negotiated based on it, but your remote user Profile F is without NAT-T but FortiGate will keep communicate with NAT-T 4500, so configure the propose profile wisely else will keep troubleshoot here and there. 
6. Pray to god for mobile phone setup, going be a nightmare, wrong pre-sharekey key in by user, wrong proposal selected and more. 
7. Azure Group object wont work for BYOD.

*note
mobile phone - iOS 

ikev1

1. If you have mobile user unable set the phase 1 and phase 2, herewith the phase 1 proposed by mobile phone
   
2. Phase 2

ikev2

1. FortiGate Config

 

          Mobile Phone config

 

Local User Database

1. Grouping user only option is to configure multiple dailup profile with different peer id and different profile has different assigned ip to group the user.

LDAP information

1. Support ikev1, stick to ikev1 if you have mobile phone user.
2. I will say partially support ikev2 , you can amended the xml and restore the amended xml file on desktop but mobile phone setup there is no option to select EAP TLS, not sure it support ot not (EAP-TTLS support for IPsec VPN)

Radius

1. Didn't test lazy to setup, more or less the same

SAML  information

1. No object group id is allow, else will face EAP error issue (Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups)
2. Object Group ID wont work for Azure
3. Even integrated with FSSO DC agent, it need user to lock and relogin to trigger the netlogon update quite troublesome.
4. Saly

Related document for SAML
Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication

BYOD

1. Bye, if a domain environment, netlogon details doesn't send to AD so FSSO wont work.

Other site information

Forti VM with FortiOS 7.4.8

diagnose debug application authd -1 when turn on this debug the SAML wont work till disable debug 

To conclude, migrating from SSL VPN to IPsec VPN is PAIN and takes time for users to adapt. There are many restrictions and challenges along the way. It feels like Fortinet is trying to push users toward SASE, but not everyone can afford it—especially SME business.

Update 17 July 2025,

FSSO

Due to AD behavior, FSSO also has some limitation on user identification, BYOD doesnt work and RDP with domain user,  example IPSEC success with limvuihan (IP 192.168.10.1) but I remote desktop with domain admin pbbadmin to another server  due to AD behavior, the logon event id will be update that pbbadmin IP address as your IPSEC IP which is 192.168.10.1. So all the defined rules based on your grouping wont work and unable access. Alternative is to ignore the pbbadmin user list  at collector agent.

Update 1st August 2025

So when there is user connect the FortiClient IPsec, cant change the Split Tunnel Parameter as shown here in use, is not flexible as SSL VPN Tunnel request user to reconnect the VPN to get the new route. 

Palo Alto Self Signed Certificated ERR_SSL_KEY_USAGE_INCOMPATIBLE

 if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps

For Windows user

Setup Open SSL 

1. download and install open ssl from Shining Light Production (please donate if it helps)

Then Generate CSR Palo Alto KB

1. Complete the Generate the CSR steps

Back to your laptop/pc start to signed the certificate

1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin

2.  Type in command -

openssl.exe genrsa -out rootCA.key 2048

3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"

4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth

save it

5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin

6. type in command just to replace the server.csr to the downloaded CSR name  
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt

7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.

Able to solve the issue

Ping Test Tool

Although there're lots of free ping test tool, I develop my own version ping test tool that suit my troubleshooting purpose. Feel free to download it and feedback to me.

My own version ping test tool with time log on each ping result, this time logging can be disable too. 

herewith the tools

ping test tools

Let start NSE8 !

Let start NSE 8 journey, wondering able to achieve within a year or might not or drag another decade XD.

After going through CCIE - Sec exam roughly understand how the exam going to look like.

Hope my company sponsoring me for this exam as I moved away from Network Security into cloud Security. ahemm FortiSaSe also cloud sec what.

I'm still struggling should release alpha version of Cisco Lina/ASA firewall policy convert tool develop by using company resource (laptop) to public. 

Cisco FTD route-map metric

 If you tried search the information even with chatgpt still cant locate the information. Yup, Cisco FTD replace the metric value with bandwidth:

Cli output