IPsec security associations

IPsec security associations (SAs) are synchronized between HA members to ensure seamless failover and continuity of VPN tunnels.

DHCP leases

DHCP lease information is synchronized between HA members to maintain consistent IP address assignments and prevent disruptions when failover occurs.

When FortiGate performs SSL/SSH full inspection and detects an invalid certificate, there are three valid actions it can take:

Allow & Warning: This action allows the session but generates a warning.

Block & Warning: This action blocks the session and generates a warning.

Block: This action blocks the session without generating a warning.

Actions such as "Trust & Allow" or just "Allow" without additional configurations are not applicable in the context of handling invalid certificates.

References:

FortiOS 7.4.1 Administration Guide: Configuring SSL/SSH inspection profile

The certificate warning errors occur because the SSL inspection profile is configured to use a private CA certificate that is not recognized by the browser as being signed by a trusted CA. For the browser to trust the FortiGate's re-signed certificates, the CA certificate used by FortiGate for SSL inspection must be installed in the browser's trusted certificate store. Until the browser recognizes the certificate authority (CA) as trusted, it will continue to display warning errors when accessing HTTPS websites.

References:

FortiOS 7.4.1 Administration Guide: SSL/SSH Inspection Configuration

Both interfaces must have directly connected routes on the routing table

In NAT mode, each interface must have a corresponding entry in the routing table, typically as a directly connected route, to route traffic between them effectively.

Both interfaces must have IP addresses assigned

In NAT mode, each interface must have an IP address to participate in routing and NAT operations. The IP addresses allow the FortiGate to forward traffic between different network segments.

Advanced mode allows for configuration as an LDAP client and supports group filtering directly on the FortiGate, as well as nested or inherited groups.

When a firewall policy is created in FortiGate integrated with FortiAnalyzer and FortiManager, a Universally Unique Identifier (UUID) is added to the policy to support logging and management​.

The SSL VPN http-request-header-timeout timer is used to mitigate denial of service (DoS) attacks by limiting the amount of time the FortiGate waits for the client to send an HTTP request header after a connection is established. This helps reduce the attack surface by preventing potential attacks that exploit prolonged connection times without fully completing requests.