Palo Alto Networks discovered a vulnerability (CVE-2024-3400) with a CVSSv4.0 base score of 10 that impacts PAN-OS version 10.2+ with GlobalProtect and telemetry enabled. We strongly recommend all review the advisory for remediation steps. Are you affected? This vulnerability does not apply to you if any one of the following apply: You are running a PAN-OS version < 10.2  You do not have GlobalProtect Gateway enabled You do not have telemetry enabled Please check if you are running one of the affected PANOS software versions. As you can see, we expect a bugfix asap with ETA by 14.4.2 ..read more

Recently, I had the challenge of rolling out an Outlook add-in in an Exchange 2016 environment. In the past, this used to be straightforward task in the Exchange Control Panel (Organization → Add-ins → Add from the Office Store). While the link to the Microsoft AppSource still works, you’re required to sign-in using an Microsoft 365 account. This would not be a problem, if the process would redirected you back to the on-premise server. However, the portal always tries to activate the add-in for Exchange Online. As I have not found a solution to this issue, I have come up with the following wor ..read more

We have received several support requests regarding interrupted mailflow between Exchange Online and SeppMail appliances. The mailflow is interrupted since 07.03.2024 at 23:00 CET time. In the MS365 logs, the following error message is shown: LED=450 4.4.317 Cannot connect to remote server [Message=UntrustedRoot] [LastAttemptedServerName=securemail.domain.ch] [LastAttemptedIP=12.34.56.78:25] [SmtpSecurity=-1;-1] [MS365EXOHOSTNAME.PROD.OUTLOOK.COM 2024-03-08T11:11:11.111Z MESSAGEID]} At the moment we assume, that a configuration issue on the SeppMail appliance is responsible for this error. W ..read more

3CX is a very widespread UC solution (phone system or also known as PBX). FortiGate is a very widespread firewall solution. Both of the products are very good in doing their thing. But to work together, a littlebit of configuration work is needed. Below you can find an example configuration of a FortiGate firewall that is used to allow the communication from and to the 3CX communication system. Please note, that this solution is only containing the complementary FortiGate configuration. UTM profiles and other security features are not part of this documentation and are needed to be added later ..read more

Im Boll Support treffen in den letzten Wochen vermehrt SeppMail Anfragen ein. Seit Microsoft in MS365 Exchange Online einige Anpassungen im Spamfilter (Defender Funktion) gemacht hat, werden die Mails als Spam quarantänisiert, welche von der SeppMail zu MS365 in paralleler Konfiguration hochgesendet werden. Um das Problem zu umgehen hat SeppMail ein neues Feature eingeführt: Das ARC sealing. Bei einer parallelen Anbindung des SEPPmail Gateway mit Exchange Online ist die Konfiguration von ARC Sealing unterdessen zwingend notwendig. Wie wird das ARC sealing konfiguriert? Aktualisieren Sie Ihre ..read more

From time to time we face performance problems on FortiGate units in our daily support life. Most often the impacts of performance problems on the FortiGate are not typical. Or let’s say “not as an admin that is not familiar with FortiGates would expect”. The expectations vary from high delay on network traffic up to unresponsiveness of the system or even a system crash. But what we experience in reality differs very much from this expectations: We see skipped UTM inspections, slow webadmin access, notification emails about conserve mode and, in very rare cases, even the the blocking of new se ..read more

Maybe you have already noticed (or maybe you have been informed by our Fortinet Firmware Update mailing list) that Fortinet has released of some new FortiOS patches on Feb. 7, 2024. To be more precise – all Fortinet minor and major versions that are running on Fortigate models that are not EOL yet have been updated: 7.4, 7.2, 7.0, 6.4 and even 6.2 which is end-of-support since September 2023. We know from experience that it is not a good sign when Fortinet is updating all these versions at the same time. Additionally it’s noteworthy that the release notes for 7.2.7 and 7.4.3 do not contain any ..read more

In this post we want to share some of the most seen reasons for slow performance on FortiGate appliances with you. This are experiences we’ve made in our support department and is not a concluding list. Traffic shapers Traffic shaping is an evergreen topic. We have already written two blog posts about traffic shaping. The biggest problem on traffic shaping is, that most administrators that configure the shaping, are not aware how the shaper and also the shaped traffic behaves when a shaper is set in place. You can find the blog posts here: Traffic Shaping auf der Fortigate v5.4 Warteschlang ..read more

Maybe you have read in the “New Features” Guide for 7.4 about this new feature: “Prevent FortiGates with an expired support contract from upgrading to a major or minor firmware release”. Here it is explained that you cannot upgrade your Fortigate to a higher major or minor version (eg. upgrading from 7.4 to 8.0 or 7.6) with an expired support contract, while upgrading to a higher patch build (e.g 7.4.1 to 7.4.2) is still possible. In principle, this is absolutely legitimate on Fortinets part. The development of the firmware is not free of charge and must be financed. But the behavior you will ..read more

It was not so long ago that Fortinet replaced the old NSE levels with new certification levels. We already wrote an article about this last year. Nevertheless, let’s take a look at how you can recertify our new Fortinet certifications: Basically, recertification is pretty simple. After two years you just have to fulfill the same requirements as for the first certification. For example, to recertify the FCP in Network Security, you must again pass one core and one elective exam from this level. But there is an exciting second option for recertification: you just need to pass one exam from a hig ..read more