FortiGate Certificate Import Errors
FortiGate Certificate KB ID 0001791 Problem A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error; Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert. FortiGate Certificate Problems A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error...
Cisco to FortiGate Command Conversion
KB ID 0001776 Problem Bah what the hell is ‘show run’? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier. Cisco to Fortigate Translation Cisco Command FortiGate Command Basic commands show run show full-config show version get system status show ip interface brief show system interface show run...
Cisco FPR – Re-image from FTD to ASA Code
KB ID 0001766 Problem Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010). Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an...
Use Azure MFA With Microsoft NPS (RADIUS) Server
KB ID 0001759 Problem I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite simple. So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group....
Cisco ASA DHCP Reservation (Solved)
KB ID 0001751 Problem We have been asking for this for years! Even on my home network I’ve not been able to allocate an ASA DHCP reservation for my laptop and my MyCloud drive. I’ve been in discussions in forums with people who are convinced that putting a static ARP entry into the ASA would solve the problem (it doesn’t – I tested it extensively!) But finally in version 9.13(1) we can now add a static DHCP...
AnyConnect 4 – Plus and Apex Licensing Explained
KB ID 0001013 Problem (Updated 11/05/21) Before version 4 we simply had AnyConnect Essentials and Premium licensing, now we have Plus and Apex licensing. AnyConnect Plus and Apex There are in fact three licensing options; Cisco AnyConnect Plus Subscription Licenses Cisco AnyConnect Plus Perpetual Licenses Cisco AnyConnect Apex Subscription Licenses NEW VPN Only perpetual Licences Plus and Apex Contain; AnyConnect PLUS (Cisco pitch...
Replacing Cisco Firewalls with Fortinet Firewalls
KB ID 0001741 Replacing Cisco If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls. This article is so you can make an informed choice about what you want to replace your Cisco firewall with. Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to...
Cisco ASA to Fortigate VPN (Properly!)
KB ID 0001721 Problem A while ago I did a run through on site to site VPNs from Cisco ASA to Fortigate firewalls. Back then I said that the default settings were a bit ‘shoddy’ and that I’d revisit it once I had more time. What do you mean shoddy? Well, Cisco and Fortinet are both guilty of enabling ‘Everything’ to make the tunnel come up, so people can just use a wizard and not put to much thought into...
Cisco ASA: Received a DELETE PFKey message from IKE
KB ID 0001720 Problem I was debugging a VPN tunnel today. (From a Fortigate to a Cisco ASAv). I was messing around with the encryption and hashing, when the tunnel fell over. Phase 1 was establishing fine but not Phase 2 (IPSEC). I’ve got better skills on the ASA, so that’s where I was debugging; IPSEC: Received a PFKey message from IKE IPSEC: Parsing PFKey GETSPI message IPSEC: Creating IPsec SA IPSEC: Getting the...
AnyConnect Error: Unable To Verify IP Forwarding Table Modifications
KB ID 0001646 Problem While attempting to connect to a clients AnyConnect, this happened; The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established. Or on older clients, you may see; The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again. Solution I was trying to...