|
Also: lol what are Cisco doing trying to put Catalyst on all their products? First the wireless stuff became Catalyst, and now they have "Edge Appliances" as well.
|
#
?
Dec 10, 2020 22:32
|
|
|
|
| # ? Apr 20, 2024 01:38 |
|
|
They explained that in the CCCP , at least why it’s not a router anymore . All you need to know is it will probably work mostly okay before it goes EOL in 4-5 years
|
|
#
?
Dec 10, 2020 22:37
|
|
|
What is anything catalyst anymore, CatOS was dead in the early 2000s. 'set' commands and ISL vlans 4 lyfe
|
|
#
?
Dec 11, 2020 00:08
|
|
|
Bob Morales posted:Active/passive Basically, this: Thanks Ants posted:As above, there should be HA links so the firewalls can talk to each other The port mirror appears to be setup to mirror the ports from each fortigate, which I have no clue why you would do that and I feel like it will cause something to blow up at some point.. probably during failover. Since you don't have multiple LAN ports those ports should just be individual interfaces (don't mirror don't port channel), if you have multiple interfaces from each fortigate you would port-channel those together (i.e. if ports 4 and 5 from Fortigate 1 ran to switch 1 port2 and switch 2 port 2 you would put them in a port-channel).
|
|
#
?
Dec 11, 2020 01:31
|
|
|
The mirror port being on the switch in the core that our SAN is connected to might be part of why backups ran slow when we use our cloud repository :facepalm:
|
|
#
?
Dec 11, 2020 03:29
|
|
|
Also I don't know if we've ever done a failover test since I've been here. Not sure if taking a fortigate out will end catastrophically or not.
|
|
#
?
Dec 11, 2020 03:30
|
|
|
I talked to my IT manager a little more today, I asked him if the router was dusty and he said "you know, it has been more reliable now that it's winter" so I suspect a can of compressed air might be in my future. I also jokingly told him that with residential gateways the standard fix was to FR and reconfigure, and I suspect backing up, reformatting and reconfiguring the router might also be in my future. It's not running the latest firmware because in the past a firmware upgrade bricked the first RV325, and Cisco was kind enough to replace it.
|
|
#
?
Dec 11, 2020 04:37
|
|
|
Bob Morales posted:The mirror port being on the switch in the core that our SAN is connected to might be part of why backups ran slow when we use our cloud repository :facepalm: I just had a thought about the mirrored port. I wonder if the switch is in L3 mode and someone doesn't know how to setup a failover route, so instead of using brain they just setup a default route to the one fortigate and have the mirrored port to the other in the event of failover; sounds dumb enough that someone has done it. Also uhh if the traffic is loving up your backups then you're hosed if their is a failover anyway, maybe.
|
|
#
?
Dec 11, 2020 11:14
|
|
|
MF_James posted:I just had a thought about the mirrored port. Yea I figured the mirrored port was some hillbilly failover they read about on some website Last weeks backup speeds to the cloud:
|
|
#
?
Dec 11, 2020 13:46
|
|
|
Last night:
|
|
#
?
Dec 11, 2020 13:47
|
|
|
gently caress sonicwall and their site to site vpn. Just ran into a weird issue where specific traffic was not going through a tunnel setup as site to site, for whatever reason their auto-generated rules aren't working so I have to create specific rules for traffic to pass, but even then some traffic just doesn't pass. My guess is that it's because we're connecting 2 different devices with different firmware together, but as a temporary fix I just create a "Tunnel Interface" instead of a site to site.
|
|
#
?
Dec 14, 2020 20:29
|
|
|
MF_James posted:gently caress sonicwall Yes
|
|
#
?
Dec 14, 2020 20:40
|
|
|
MF_James posted:gently caress sonicwall and their site to site vpn. If it still exists, don't forget to go to the hidden "/diag.html" and check some boxes which back in the day was the only way to get some vpn tunnels to work right.
|
|
#
?
Dec 14, 2020 21:40
|
|
|
There's so many loving bugs in every Sonicwall release, and the worst part is that their weird binary config format means that you can break a box to the point that you have to default it and start again to get it stable.
|
|
#
?
Dec 14, 2020 21:54
|
|
|
I’d rather work on literally anything other than a SonicWall. I’d rather be stuck in some kinda hosed up purgatory where I just deployed FirePower over and over to the unholy shrieks of a never ending stream of clients than have to touch one ever again. They’re the worst.
|
|
|
#
?
Dec 15, 2020 04:22
|
|
|
What's the firewall vendor whos boxes are bright red, and the only way to admin it was a Windows native application that opens multiple windows? This info is at least 10 years old. I want to say maybe even the word 'fire' was in the vendor or product name. That was the only thing worse imo.
|
|
#
?
Dec 15, 2020 13:56
|
|
|
Watchguard, you still admin them through some awful windows app. Barracuda tried to sell me on their 'brand new' range of boxes and the demo started with a Windows app to manage them, nope nope nope.
|
|
#
?
Dec 15, 2020 14:17
|
|
|
Thanks Ants posted:Watchguard, you still admin them through some awful windows app. They aren't using BARRACUDA CLOUD CONTROL?
|
|
#
?
Dec 15, 2020 14:22
|
|
|
Thanks Ants posted:Watchguard, you still admin them through some awful windows app. As bad as Watchguard is I think I'd actually prefer it to Sonicwall. Sonicwall just seems to get you 80% of the way there before it fucks you over. At least with Watchguard the config will bomb out early or refuse to load at the beginning.
|
|
#
?
Dec 15, 2020 14:42
|
|
|
Im not a firewall guy and generally don't like being involved in security, but the only firewall I don't remember hating was Netscreen, pre Junos purchase. Fortigate obviously keep that Web UI going similarly, and also with similar terribleness, like have to go to CLI to enable IPV6 so it shows up in the web ui. Netscreen's CLI was nicer than Fortigates though, iirc. This whole pseudo tabbed nested thing with next is bullshit. But at least you can get a text config backup, which IMO is key to any of this poo poo.
|
|
#
?
Dec 15, 2020 14:58
|
|
|
falz posted:Im not a firewall guy and generally don't like being involved in security, but the only firewall I don't remember hating was Netscreen, pre Junos purchase. Fortigate obviously keep that Web UI going similarly, and also with similar terribleness, like have to go to CLI to enable IPV6 so it shows up in the web ui. Fortigate is making strides to putting the UI at feature parity with the CLi. Honestly Fortigates are probably my favorite firewall. I've never use Palo Altos tho. Watchguard is terrible, their webUI is poo poo and the app is equally poo poo.
|
|
#
?
Dec 15, 2020 20:40
|
|
|
Most firewalls are just pretty front-ends for pf/iptables right? Have any of those companies invented their own poo poo, or are they just all slapping linux/bsd on a whiteboxed system?
|
|
#
?
Dec 15, 2020 21:08
|
|
|
Thanks Ants posted:Also: lol what are Cisco doing trying to put Catalyst on all their products? First the wireless stuff became Catalyst, and now they have "Edge Appliances" as well. They want to sell their DNA center thing really hard and from what the cisco guy told me, as part of that they started pushing hard internally to unify things to make it feasible. They want to sell NX-OS switches and ACI for the datacenter and catalyst everything hooked into DNA center for distribution/edge. I am not complaining about AireOS going away.
|
|
#
?
Dec 15, 2020 21:16
|
|
|
MF_James posted:Fortigate is making strides to putting the UI at feature parity with the CLi. Fortigate and Palo Altos are both good imo. As long as it's not another loving ASA really I'm happy.
|
|
#
?
Dec 15, 2020 21:18
|
|
|
Nuclearmonkee posted:Fortigate and Palo Altos are both good imo. As long as it's not another loving ASA really I'm happy. Agreed
|
|
#
?
Dec 15, 2020 21:53
|
|
|
FortiGate's and Palos are all I'd recommend anymore, know some people who love CheckPoint though.
|
|
|
#
?
Dec 15, 2020 21:57
|
|
|
i am a moron posted:FortiGate's and Palos are all I'd recommend anymore, know some people who love CheckPoint though. We just threw out all the checkpoints for fortigates. They were price gouging us *really* bad. In other news, we made our resellers gift us a couple of Extreme Campus Appliances after they suddenly went end of sale on the the whole identifi line, so I got some nice shiny wifi6 AX WAP's now. I took one and set the channel width on 80 because it was a very low density area and decided to do a little speed test.  They're screaming.
|
|
#
?
Dec 15, 2020 22:21
|
|
|
You can push those sorts of numbers on 802.11ac with decent APs and clients, my understanding of the main benefits of AX is when density becomes a factor.
|
|
#
?
Dec 15, 2020 23:27
|
|
|
Yeah, if I set an Extreme 3965 to 80bw, it'll get there on AC if the client has 4 mimo's. Once I have more endpoints on the new controllers, I'm probably going to pop a 10g on the backhaul link. That's a lotta GB's flying around. (My WLANS all bridge at controller)
|
|
#
?
Dec 15, 2020 23:35
|
|
|
Bob Morales posted:Most firewalls are just pretty front-ends for pf/iptables right? Have any of those companies invented their own poo poo, or are they just all slapping linux/bsd on a whiteboxed system? Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc.
|
|
#
?
Dec 16, 2020 19:52
|
|
|
ior posted:Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc. This. Say you have rule to recognize RDP traffic inbound on 3389 the ip/port firewall will recognize it because of ip/port. If you change that to 33389, an ip/port FW won't recognize that as actual RDP traffic. A next gen firewall will because it's ripping all the packets apart and looking for certain applications. I always preferred the term application aware on this new stuff.
|
|
#
?
Dec 16, 2020 20:04
|
|
|
ior posted:Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc. I realize that, but I guess I thought the base rules were still comparable to something like pfsense and all the IPS stuff was their own engine. So they're all using their own tech for that?
|
|
#
?
Dec 16, 2020 21:12
|
|
|
Yes, and most use custom ASIC hardware to do it very very fast even in the smallest appliances. I've been using Fortigate since 3.x and really wish I'd bought shares back then hah.
|
|
#
?
Dec 16, 2020 23:09
|
|
|
the only firewall i tolerate is an srx, otherwise i set the rules to outbound nat and icmp only, if security has a problem with the rules they are more then welcome to manage the firewall themselves.
|
|
#
?
Dec 17, 2020 03:29
|
|
|
ior posted:Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc. https://aws.amazon.com/marketplace/solutions/security/firewalls-proxies How do these sorts of software firewalls/appliances work presumably without their special hardware? Is it just poorly?
|
|
#
?
Dec 17, 2020 04:31
|
|
|
They just implement it all in software yes. A quick glance at the Azure dataset shows throughput info for various xonfigs which can be compared to the same on appliance hardware. I'm on mobile so can't do it directly right now.
|
|
#
?
Dec 17, 2020 05:00
|
|
|
Methanar posted:https://aws.amazon.com/marketplace/solutions/security/firewalls-proxies I did a FortiGate-VM on AWS deployment earlier this year. Exactly the same as the physical appliances and worked perfectly. The Fabric Connector integration with EC2 is neat as well. Currently designing a HA setup for another deployment with Transit Gateway.
|
|
#
?
Dec 17, 2020 07:27
|
|
|
Pile Of Garbage posted:Exactly the same as the physical appliances and worked perfectly How
|
|
#
?
Dec 17, 2020 08:53
|
|
|
Pretty sure the virtual FTG throughput is terrible like all virtual counterparts, but otherwise indistinguishable
|
|
|
#
?
Dec 17, 2020 13:13
|
|
|
|
| # ? Apr 20, 2024 01:38 |
|
|
All CPU bound firewall poo poo works fine under normal/small load, but caves during a DDoS as their session table maxes out. I'd consider it the same as using pf/iptables/hosts.allow at best. Related to firewalls, anyone know of software, open sores or commercial, that is made for vendor agnostic firewall source of truth / documentation, and possibly provisioning? I'm picturing a web ui type of thing where you define your NAT rules, and perhaps it can poo poo out a block of code per vendor. It doesn't even need that config part as long as it has an API, we could make it work with .j2 templates or something. It looks like there's a crusty old sourceforge project that's now dead called `fwbuilder` that does something similar, but it looks like a windows app or someshit.
|
|
#
?
Dec 17, 2020 16:25
|
|