Disable Fortigate Identity on WAN port (that is enabled by default):
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Closing-TCP-port-113/ta-p/195373
config system interface
edit
set ident-accept enable
next
end
Difference between “show” and “get” commands:
“We can use the get command to retrieve dynamic information such as IP of DHCP or PPPoE Interface
It also gives the information or lists the configuration of the current object in tabular format.
While the show command gives the configuration in configurable format or tree structure.”
How I understand it:
Show in FortiOS like “show” in Cisco IOS where you see, for example, interface status: show ip interface g1
“Get” is like “show run | sec GigabitEthernet1” – shows the configuration of the item.
OSPF with Cisco:
https://tcpflag.blogspot.com/2015/08/fortigate-with-cisco-using-ospf.html
There are two important things:
1) https://community.fortinet.com/t5/FortiGate/Technical-Note-OSPF-Interoperability-with-Cisco-Setting-up-an/ta-p/192112
you can’t configure Area ID like in Cisco, with one digit (0), you must configure it like 0.0.0.0. If you want area 5, you must convert 5 to 0.0.0.5. And if you want area 269, you must convert it to 0.0.1.13 (269-256=13). You can use converter if you don’t want to do it by yourself: https://codebeautify.org/decimal-to-ip-converter
2) Hello and Dead intervals should match with other members of routing exchange. Check configuration in CLI and set correct timers in interface(s) configuration.
OSPF diagnostics command: diagnose sniffer packet "proto 89" 6 0 a
Radius configuration:
Start with this example:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-FortiGate-and-Microsoft-NPS-Radius/ta-p/213024
Check connectivity problems from Fortigate CLI:
diag sniffer packet any "host XXX.XXX.XXX.XXX and udp" 4 0 l
or
diag sniffer packet any "host XXX.XXX.XXX.XXX" 4 0 l for more info
If there is no connection to RADIUS, check/fix things:
1) correct IP address in Client Settings in Windows NPS
2) correct outgoing interface (configurable in CLI only): set source-ip “XXX.XXX.XXX.XXX”
3) Windows Firewall rules. Sometimes it’s easier to disable preconfiured rules for NPS and manually create new ones (thanks, Microsoft, your products are always reliable and predictable)
4) if you’ve configured logging in NPS settings, “If logging fails, discard connection requests” shoud be unchecked