|
Moey posted:Anyone here working with Fortinet firewalls? What are your opinions on them? I really like Fortigate's but I've never worked with Juniper devices so not sure how they compare. The downside to Fortigate (and a lot of products) is that support can be difficult to work with but otherwise they are pretty drat solid products. Management is relatively easy, a lot of things Just Work, interface is pretty drat user friendly and the CLi 95% of the time makes sense once you understand their structure. Do you have any specific questions?
|
#
?
Jul 11, 2019 18:32
|
|
|
|
| # ? Apr 20, 2024 04:52 |
|
|
I've no issues with them, though I only have two. The stuff that is meant to work seems to work fine, though the documentation can lag behind the releases a bit. Shouldn't be an issue if you're not running the latest builds all the time though.
|
|
#
?
Jul 11, 2019 19:00
|
|
|
No specific questions, just curious if anyone felt they were flaming piles of poo poo. Pretty basic use case for us, NAT for our WAN and some public facing stuff we host, handful of security zones with rules to/from, some IPSEC VPN stuff. Nothing revolutionary. I love the Junos CLI, but their UTM features are lagging behind from what I have read, so I am now considering if that is something I want my firewalls doing as well. Currently just doing some budget work, so I have a while until I have to make any decisions. I should have enough in there to cover most options that come up at the end of this.
|
|
#
?
Jul 11, 2019 19:52
|
|
|
The CLI can be a bit annoying in terms of syntax, though I would assume that improves with experience. One thing to be aware of is that they have a bit of a poo poo attitude to their APIs and who can get documentation, so if you're looking to do automation and want to roll your own tools then there may be better options.
|
|
#
?
Jul 11, 2019 19:56
|
|
|
Being edge devices with multiple security zones (vdoms in FortiOS world) and IPSEC endpoints is pretty much their bread and butter.
|
|
#
?
Jul 11, 2019 19:57
|
|
|
I would consider fortigate or palo alto before ever considering another device
|
|
#
?
Jul 11, 2019 20:16
|
|
|
If for some reason I actually need a hardware firewall, fortigate >>>>>>> ASA They're also extremely good for doing dialin VPNs, I'd choose fortigate way before I'd ever consider doing it myself with strongswan. Especially if you're looking to tie it in with AD and MFA
|
|
#
?
Jul 11, 2019 20:26
|
|
|
Coincidentally, I work in the same office park that Fortinet's Canadian HQ is in. I have considered walking across the street whenever I have issues with FortiClient (which is, to be on topic, every time I have to VPN into something with loving FortiClient) to voice my displeasure.
|
|
#
?
Jul 11, 2019 23:17
|
|
|
GreenNight posted:So uh, what's the hottest a Cisco switch can be before failure? Getting some alerts from Solarwinds that a switch hit 120F in one of our manufacturing facilities. A mere 120F? That baby'll be fine.   This stupid loving thing sits inside an unventilated metal box in direct sun near a substation out at a plant and has operated like this for several years. Peaks around 160Fish in August usually. Most access switches will survive way beyond their recommended env ranges and if it's an industrial facility they should have a spare on site anyways. I try to get the plants to install IDFs that are slightly less hostile than this or spring for an IE but really they'll be fine even if they don't most of the time. I don't even have it alert me at all for temp anymore because what's the point. Had a 3650 that somebody stuck inside a wall behind some insulation a couple years back because the guys redoing the room didn't care or know what that thing stuck to the old wall was. It sat in the 140s pretty much always. Plant never bothered to relocate it until someone needed to add some drops in the area.
|
|
#
?
Jul 11, 2019 23:53
|
|
|
That’s very good to know. We have spare switches but eh, I’d rather not be replacing them if I don’t have to.
|
|
#
?
Jul 12, 2019 01:22
|
|
|
I've also got a 3560 that sits outside in a metal box baking through the summer. It finally went down last week, when I investigated it wasnt the heat that shut it off. It was now apparently home to an ant colony... I used an air compressor and blew a bunch of air through it and its been fine since.
|
|
#
?
Jul 12, 2019 15:39
|
|
|
Big cucm conversion coming up, I’ll be on site all week deploying 120 phones, a paging system, speakers etc. These people are extremely used to their current system, and had a bad experience with the conversion to our corporate CMS so they’re understandably nervous. Finished up setting poo poo up to clone the functionality they currently have today but I wonder how hard the transition will be for them since poo poo is gonna be different. Also, on a call this week we told them were going to need some hands to help deploy phones because we fly in at noon, and the DID port will take place at 5 and we don’t know where anybody sits. This was met with a long silence.. I’ll probably be getting a 20k in running around the building and will be lucky to get to bed by 2am on the first day.
|
|
#
?
Jul 13, 2019 00:21
|
|
|
Been there done that. Assume they know nothing and will not be helpful at all. Nobody will have a seating chart or even any idea of who the people working there are.
|
|
#
?
Jul 13, 2019 01:14
|
|
|
Bigass Moth posted:Been there done that. Assume they know nothing and will not be helpful at all. Nobody will have a seating chart or even any idea of who the people working there are. Lol, yeah i've done a few of these conversions before but nothing this big. The other locations generally had an administrator who was crazy helpful, but this one is shaping up to be a nightmare.
|
|
#
?
Jul 13, 2019 02:05
|
|
|
I've been working with a team recently who have been doing a similar thing for state government departments at sites all over the state. They said IP telephony was the biggest pain in the rear end and would tie up techs for entire days doing just one site. My involvement is network automation with Ansible to do LAN cutover but this telephony stuff seems like just a literal slog.
|
|
#
?
Jul 13, 2019 11:22
|
|
|
Anything that touches end users is always difficult because there’s so many unknown variables that come up
|
|
#
?
Jul 13, 2019 11:25
|
|
|
You can save yourself some of the headache by marketing it right I guess Standardize on your button templates, layouts, functionality, and how you'll deploy it. Then just deploy it that way and don't take customization requests until/if you have the cycles for it later. The old PBX and key systems either didn't do much customization, or you planned them with planning binders and deployed it and washed your hands of it. Making each set different, deploying weird intra and inter departmental dialing rules and masking, etc eats up a poo poo load of time. Once you offer that to your customers they won't like having it peeled back which is what we're doing now to keep the system manageable. We let people ask individually on a whim to add BLFs, lines, create a hunt for this, these three people need an intercom etc. 85%+ of the users are good with their DN, some speed dials, maybe a departmental line if they need some sort of thing and other coverage doesn't work. This also keeps you out of the hole of having to replicate that when/if you move to a new system, or application-centric telephony.
|
|
#
?
Jul 13, 2019 12:22
|
|
|
Less is more. I don’t even mention features unless they’re specifically asked about. Too much bad experience with idiot managers getting hung up on stuff like speed dials, self care portal and background images. Wastes so much time going back and forth changing things forever.
|
|
#
?
Jul 13, 2019 13:00
|
|
|
Still, probably easier than having to support 2950 switches in TYOOL 2019 
|
|
#
?
Jul 13, 2019 13:01
|
|
|
Bigass Moth posted:Less is more. I don’t even mention features unless they’re specifically asked about. Too much bad experience with idiot managers getting hung up on stuff like speed dials, self care portal and background images. Wastes so much time going back and forth changing things forever. Yeah there’s definitely value in just denying features exist to guide people towards the most supportable deployment
|
|
#
?
Jul 13, 2019 15:08
|
|
|
Partycat posted:You can save yourself some of the headache by marketing it right I guess Yes this is the goal for this one, but we are trying to keep the features they use a lot on their PRI. They’re already set up very different from our standard because we were compelled to give them a bit of the sweetheart treatment. They’ll adapt to anything else that’s different. One of our locations we allowed them to request 3 digit dials for people they call often, 200+ translation patterns later that is something we now absolutely shut down and show them how to save contacts in Jabber. This particular site has two different names they operate under so we had to give them the ability to dial out as one or the other, and the ability to know which line the caller dialed so they can say “you’ve reached company x/y” and gave them separate VM boxes for each “company” because apparently customers get confused when they call and it’s a totally different company name. that’s about all we want to do for custom features. If we had our pending UCCX deployed that would make some of that stuff way easier, but even when we do, it’s going to be hard to convince management to pay the licensing for more than the one acquisition that needs it.
|
|
#
?
Jul 14, 2019 04:13
|
|
|
Not necessarily network related but close. In GCP I can get 16Gbps on a single flow iperf3 test intra-region but up to 3Gbps on inter-region single flow. On parallel flows I can do 16Gbps/5Gbps. Besides modifying the send and receive buffers is there any other tuning I should look at to get a single flow up to 5Gbps? Edit: linux servers Edit2: nevermind I found the kernel setting to do this Sepist fucked around with this message at 18:11 on Aug 1, 2019 |
|
#
?
Aug 1, 2019 17:10
|
|
|
Sepist posted:Not necessarily network related but close. In GCP I can get 16Gbps on a single flow iperf3 test intra-region but up to 3Gbps on inter-region single flow. On parallel flows I can do 16Gbps/5Gbps. Please enlighten us!
|
|
#
?
Aug 2, 2019 13:55
|
|
|
http://fasterdata.es.net/host-tuning/linux/
|
|
#
?
Aug 2, 2019 14:06
|
|
|
They're missing one: net.core.netdev_max_backlog=300000 I was getting 3.7Gbps max with it set to the default of 10k, but I got up to about 6.7Gbps when I kicked it up to 300k Check out this white paper on 10G optimizations: https://www.kernel.org/doc/ols/2009/ols2009-pages-169-184.pdf Edit: I would also suggest doing your own research before blindly deploying this. Most of our traffic is big data so it makes sense, but real-time latency sensitive infrastructure shouldn't be utilizing deep buffers Sepist fucked around with this message at 14:47 on Aug 2, 2019 |
|
#
?
Aug 2, 2019 14:35
|
|
|
Does anyone have pfsense deployed as a serious enterprise perimeter firewall solution? I'm doing a compare and contrast to our existing Palo Altos and pfsense seems to come up short in a lot of places, but people swear by them.
|
|
#
?
Aug 2, 2019 17:52
|
|
|
Are the people who swear by them also the people who post on Spiceworks and tell you to use Ubiquiti for everything? I have a few of the appliances deployed and they're better than anything else that exists at their price points, but they only got route-based VPN within the last year and the support is nowhere near what someone like Palo Alto, Fortinet etc. are able to offer in terms of coverage for hardware replacement. I think they're great boxes for the market they're designed for, but in my experience the people the most vocal about them are also the people who think £1000 a year in support for a firewall is an unreasonable amount of cash. You're going to find a ton of features missing compared to a Palo Alto box, but I'd take one all day over an ASA because I hate ASAs. The TNSR stuff looks really interesting but that's not trying to be a security device.
|
|
#
?
Aug 2, 2019 18:47
|
|
|
Thanks. There's actually no pfsense on the GCP Marketplace anyway so that's a non-starter. Makes my analysis pretty simple.
|
|
#
?
Aug 2, 2019 18:56
|
|
|
I'd keep an eye on https://www.tnsr.com/ngfw which is available in AWS currently but will make it to Azure and Google Cloud eventually, pfSense is unlikely to be an option at the sorts of scale you're going to want.
|
|
#
?
Aug 2, 2019 19:01
|
|
|
Sepist posted:Does anyone have pfsense deployed as a serious enterprise perimeter firewall solution? I'm doing a compare and contrast to our existing Palo Altos and pfsense seems to come up short in a lot of places, but people swear by them. Having done this myself, I would be happy to swear AT them any time, but cannot swear by them. pfSense is actually super impressive for a free, open source thing. It has a shitload of features and mostly works well. But if you start pushing the boundaries of normal small-business use or run into a weird issue, you're quickly into the land of 10 year old forum threads or Reddit posts with no replies. It's not a viable replacement for Palo Alto or something.
|
|
#
?
Aug 2, 2019 19:19
|
|
|
Yeah pfsense is fine if you want something at home and don't mind tinkering; heck maybe even in a small business, but I'd still be hesitant due to lack of proper support, I'd rather roll a sonicwall. Anything bigger and you definitely want to stick with the major players.
|
|
#
?
Aug 2, 2019 21:45
|
|
|
Yea we all just came to that conclusion but now I need to compare fortinet as well. I dont think were gonna change because the campus firewalls are palo with panorama and diversifying would be annoying but fortinet is half the price. Doubt saving 10k a year is worth it when our monthly cloud spend is over a million
|
|
#
?
Aug 2, 2019 22:15
|
|
|
Sepist posted:Yea we all just came to that conclusion but now I need to compare fortinet as well. I dont think were gonna change because the campus firewalls are palo with panorama and diversifying would be annoying but fortinet is half the price. Doubt saving 10k a year is worth it when our monthly cloud spend is over a million Fortinet's are on par with Palo Alto, but switching is gonna be a pain because you'll have to learn totally new systems. Also, I'm surprised the Fortinet's that are comparable to your Palo Alto's are half the price, I thought they were closer in price than that. What Palo's do you have and what Fortinet's are you looking at to replace them with?
|
|
#
?
Aug 2, 2019 22:25
|
|
|
Presumably the Palo price will come down if they hear that you're considering saving 50% and moving to Fortigates?
|
|
#
?
Aug 2, 2019 22:30
|
|
|
A coworker of mine has a password so long it breaks the TACACS+ process on IOS-XE 16.6.1. Instead of sending "authentication continue" with his password, it sends another "authentication start". Only the one switch in our environment still on 16.6 hits this. Absolutely magical.
|
|
#
?
Aug 2, 2019 23:03
|
|
|
Kazinsal posted:A coworker of mine has a password so long it breaks the TACACS+ process on IOS-XE 16.6.1. Instead of sending "authentication continue" with his password, it sends another "authentication start". Only the one switch in our environment still on 16.6 hits this. lmao out of curiosity how many characters does it take to break it?
|
|
#
?
Aug 2, 2019 23:23
|
|
|
Xe 16.whatevers bugs are incredibly hilarious. I'm on the bug email list for the issues reported and there are multiple per week, and hilarious show stoppers very frequently. Definitely recommend signing up.
|
|
#
?
Aug 2, 2019 23:30
|
|
|
Nuclearmonkee posted:lmao out of curiosity how many characters does it take to break it? Looks like somewhere around 32. My password at around 20-ish is fine, one coworker's at 28 is fine, this coworker's is around 40 and breaks it. Literally every other XE and traditional IOS box we have? No issues. ASAs and FTDs? No issues.
|
|
#
?
Aug 2, 2019 23:49
|
|
|
Thanks Ants posted:Presumably the Palo price will come down if they hear that you're considering saving 50% and moving to Fortigates? These aren't BYOL AMIs. We could try and get the BYOLs at a lower price but the VAR won't give a poo poo which vendor we go with.
|
|
#
?
Aug 3, 2019 00:31
|
|
|
|
| # ? Apr 20, 2024 04:52 |
|
|
Ancient Chinese proverb: Using Cisco, password cisco
|
|
#
?
Aug 3, 2019 01:06
|
|