Monthly Archives: December 2015

Fortigate Login Banner

Login banners are a great way of explicitly asking users if they are authorized to log in, show your legal terms, or just leave a message for users when they log in such as ‘don’t forget to backup the configuration’ .. etc.

In Fortigate login banners are very easy to write and enable. Just a few options need to be tweaked.

The banner can be modified by going to – system – config – replacement messages. Select the extended view at the top right, and then you will see the login banner, both pre and post. Pre is show before you login, post is shown after. The messages can differ. After you modify the message, remember to save.


Switch to extended:


Editing banner:



Now we need to enable the banner to show in CLI – to do this modify the global settings .


Now the banner will prompt.

If Pre-login-banner is enabled the banner will show as soon as you go to the page to login – before you even get prompted to log in. Post will prompt after login. This is what the banner looks like:


Fortigate FSSO and LDAP source IP

I was presented with a scenario the other day where we had two sites connected with a Site-to-Site VPN. The VPN was up and working great, but FSSO and LDAP would not connect to servers on the other side of the VPN for lookups.

This made sense because I knew the fortigate was using its outside (Public) IP for lookups and obviously that was not in my Phase 2 subnets to encrypt. So how can I change this?

Note, these steps change the source IP that the FGT uses to query LDAP or FSSO.

There are options in both objects (FSSO, and LDAP) In CLI to change the source IP address. See below

LDAP Source IP change

First log in through CLI, and edit the object, Then set the source IP. Once you end the CLI session it should be changed.

show ldap

Now set the source IP address of the connection

Set Source IP

Once you enter this and then end the session via the key word ‘end’ you will set the command.

Before moving on to the FSSO settings, here is a list of options available:


FSSO Source IP change

In CLI edit the FSSO object with the below commands, modify the source IP as below, and end the console to set the commands.




Once you enter this and then end the session via the key word ‘end’ you will set the command

That should be it! You modified your source IP to something in the encryption domain and it should now talk to the remote side and be able to do lookups.

Just in case below are all the options available under the FSSO.