Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Thanks Ants
May 21, 2004

Bless You Ants, Blants



Also: lol what are Cisco doing trying to put Catalyst on all their products? First the wireless stuff became Catalyst, and now they have "Edge Appliances" as well.

Adbot
ADBOT LOVES YOU

Partycat
Oct 25, 2004

Life at last
Salutations from the other side


Plaster Town Cop

They explained that in the CCCP , at least why its not a router anymore .

All you need to know is it will probably work mostly okay before it goes EOL in 4-5 years

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


What is anything catalyst anymore, CatOS was dead in the early 2000s.

'set' commands and ISL vlans 4 lyfe

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Bob Morales posted:

Active/passive



Basically, this:

Thanks Ants posted:

As above, there should be HA links so the firewalls can talk to each other

https://docs.fortinet.com/document/fortigate/latest/administration-guide/900885/ha-active-passive-cluster-setup

There should also be (logical or physical) switches sat on the WAN and LAN side of the boxes. I would assume the Cisco 3600X is just acting as a switch to provide two links to your firewalls currently, as the router might not have a switch that it can run things through.

I'm really not sure why you have a port mirror set up, that seems like it could cause a problem. If you need two ports on the LAN side of things to connect each firewall to then you normally just have them in their own VLAN in a point-to-point subnet and set your routes up accordingly. I've no idea if the 5500 can put a port into L3 interface mode, but that might explain why someone has decided a port mirror (which IIRC has pretty severe performance implications) is the way to fix it.

The port mirror appears to be setup to mirror the ports from each fortigate, which I have no clue why you would do that and I feel like it will cause something to blow up at some point.. probably during failover. Since you don't have multiple LAN ports those ports should just be individual interfaces (don't mirror don't port channel), if you have multiple interfaces from each fortigate you would port-channel those together (i.e. if ports 4 and 5 from Fortigate 1 ran to switch 1 port2 and switch 2 port 2 you would put them in a port-channel).

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



The mirror port being on the switch in the core that our SAN is connected to might be part of why backups ran slow when we use our cloud repository :facepalm:

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Also I don't know if we've ever done a failover test since I've been here. Not sure if taking a fortigate out will end catastrophically or not.

Not Wolverine
Jul 1, 2007

by Fluffdaddy


I talked to my IT manager a little more today, I asked him if the router was dusty and he said "you know, it has been more reliable now that it's winter" so I suspect a can of compressed air might be in my future. I also jokingly told him that with residential gateways the standard fix was to FR and reconfigure, and I suspect backing up, reformatting and reconfiguring the router might also be in my future. It's not running the latest firmware because in the past a firmware upgrade bricked the first RV325, and Cisco was kind enough to replace it.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Bob Morales posted:

The mirror port being on the switch in the core that our SAN is connected to might be part of why backups ran slow when we use our cloud repository :facepalm:

I just had a thought about the mirrored port.

I wonder if the switch is in L3 mode and someone doesn't know how to setup a failover route, so instead of using brain they just setup a default route to the one fortigate and have the mirrored port to the other in the event of failover; sounds dumb enough that someone has done it.

Also uhh if the traffic is loving up your backups then you're hosed if their is a failover anyway, maybe.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



MF_James posted:

I just had a thought about the mirrored port.

I wonder if the switch is in L3 mode and someone doesn't know how to setup a failover route, so instead of using brain they just setup a default route to the one fortigate and have the mirrored port to the other in the event of failover; sounds dumb enough that someone has done it.

Also uhh if the traffic is loving up your backups then you're hosed if their is a failover anyway, maybe.

Yea I figured the mirrored port was some hillbilly failover they read about on some website

Last weeks backup speeds to the cloud:

Only registered members can see post attachments!

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Last night:

Only registered members can see post attachments!

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


gently caress sonicwall and their site to site vpn.

Just ran into a weird issue where specific traffic was not going through a tunnel setup as site to site, for whatever reason their auto-generated rules aren't working so I have to create specific rules for traffic to pass, but even then some traffic just doesn't pass.

My guess is that it's because we're connecting 2 different devices with different firmware together, but as a temporary fix I just create a "Tunnel Interface" instead of a site to site.

SamDabbers
May 26, 2003




MF_James posted:

gently caress sonicwall

Yes

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


MF_James posted:

gently caress sonicwall and their site to site vpn.

Just ran into a weird issue where specific traffic was not going through a tunnel setup as site to site, for whatever reason their auto-generated rules aren't working so I have to create specific rules for traffic to pass, but even then some traffic just doesn't pass.

My guess is that it's because we're connecting 2 different devices with different firmware together, but as a temporary fix I just create a "Tunnel Interface" instead of a site to site.

If it still exists, don't forget to go to the hidden "/diag.html" and check some boxes which back in the day was the only way to get some vpn tunnels to work right.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



There's so many loving bugs in every Sonicwall release, and the worst part is that their weird binary config format means that you can break a box to the point that you have to default it and start again to get it stable.

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Id rather work on literally anything other than a SonicWall. Id rather be stuck in some kinda hosed up purgatory where I just deployed FirePower over and over to the unholy shrieks of a never ending stream of clients than have to touch one ever again. Theyre the worst.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


What's the firewall vendor whos boxes are bright red, and the only way to admin it was a Windows native application that opens multiple windows? This info is at least 10 years old. I want to say maybe even the word 'fire' was in the vendor or product name.

That was the only thing worse imo.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Watchguard, you still admin them through some awful windows app.

Barracuda tried to sell me on their 'brand new' range of boxes and the demo started with a Windows app to manage them, nope nope nope.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Thanks Ants posted:

Watchguard, you still admin them through some awful windows app.

Barracuda tried to sell me on their 'brand new' range of boxes and the demo started with a Windows app to manage them, nope nope nope.

They aren't using BARRACUDA CLOUD CONTROL?

BaseballPCHiker
Jan 16, 2006



Thanks Ants posted:

Watchguard, you still admin them through some awful windows app.

Barracuda tried to sell me on their 'brand new' range of boxes and the demo started with a Windows app to manage them, nope nope nope.

As bad as Watchguard is I think I'd actually prefer it to Sonicwall.

Sonicwall just seems to get you 80% of the way there before it fucks you over. At least with Watchguard the config will bomb out early or refuse to load at the beginning.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Im not a firewall guy and generally don't like being involved in security, but the only firewall I don't remember hating was Netscreen, pre Junos purchase. Fortigate obviously keep that Web UI going similarly, and also with similar terribleness, like have to go to CLI to enable IPV6 so it shows up in the web ui.

Netscreen's CLI was nicer than Fortigates though, iirc. This whole pseudo tabbed nested thing with next is bullshit. But at least you can get a text config backup, which IMO is key to any of this poo poo.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


falz posted:

Im not a firewall guy and generally don't like being involved in security, but the only firewall I don't remember hating was Netscreen, pre Junos purchase. Fortigate obviously keep that Web UI going similarly, and also with similar terribleness, like have to go to CLI to enable IPV6 so it shows up in the web ui.

Netscreen's CLI was nicer than Fortigates though, iirc. This whole pseudo tabbed nested thing with next is bullshit. But at least you can get a text config backup, which IMO is key to any of this poo poo.

Fortigate is making strides to putting the UI at feature parity with the CLi.

Honestly Fortigates are probably my favorite firewall. I've never use Palo Altos tho.

Watchguard is terrible, their webUI is poo poo and the app is equally poo poo.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Most firewalls are just pretty front-ends for pf/iptables right? Have any of those companies invented their own poo poo, or are they just all slapping linux/bsd on a whiteboxed system?

Nuclearmonkee
Jun 10, 2009




Thanks Ants posted:

Also: lol what are Cisco doing trying to put Catalyst on all their products? First the wireless stuff became Catalyst, and now they have "Edge Appliances" as well.

They want to sell their DNA center thing really hard and from what the cisco guy told me, as part of that they started pushing hard internally to unify things to make it feasible. They want to sell NX-OS switches and ACI for the datacenter and catalyst everything hooked into DNA center for distribution/edge.

I am not complaining about AireOS going away.

Nuclearmonkee
Jun 10, 2009




MF_James posted:

Fortigate is making strides to putting the UI at feature parity with the CLi.

Honestly Fortigates are probably my favorite firewall. I've never use Palo Altos tho.

Watchguard is terrible, their webUI is poo poo and the app is equally poo poo.

Fortigate and Palo Altos are both good imo. As long as it's not another loving ASA really I'm happy.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Nuclearmonkee posted:

Fortigate and Palo Altos are both good imo. As long as it's not another loving ASA really I'm happy.

Agreed

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

FortiGate's and Palos are all I'd recommend anymore, know some people who love CheckPoint though.

Farking Bastage
Sep 22, 2007


i am a moron posted:

FortiGate's and Palos are all I'd recommend anymore, know some people who love CheckPoint though.

We just threw out all the checkpoints for fortigates. They were price gouging us *really* bad.

In other news, we made our resellers gift us a couple of Extreme Campus Appliances after they suddenly went end of sale on the the whole identifi line, so I got some nice shiny wifi6 AX WAP's now. I took one and set the channel width on 80 because it was a very low density area and decided to do a little speed test.


They're screaming.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



You can push those sorts of numbers on 802.11ac with decent APs and clients, my understanding of the main benefits of AX is when density becomes a factor.

Farking Bastage
Sep 22, 2007


Yeah, if I set an Extreme 3965 to 80bw, it'll get there on AC if the client has 4 mimo's. Once I have more endpoints on the new controllers, I'm probably going to pop a 10g on the backhaul link. That's a lotta GB's flying around. (My WLANS all bridge at controller)

ior
Nov 21, 2003

What's a fuckass?

Bob Morales posted:

Most firewalls are just pretty front-ends for pf/iptables right? Have any of those companies invented their own poo poo, or are they just all slapping linux/bsd on a whiteboxed system?

Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc.

Farking Bastage
Sep 22, 2007


ior posted:

Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc.

This. Say you have rule to recognize RDP traffic inbound on 3389 the ip/port firewall will recognize it because of ip/port. If you change that to 33389, an ip/port FW won't recognize that as actual RDP traffic. A next gen firewall will because it's ripping all the packets apart and looking for certain applications. I always preferred the term application aware on this new stuff.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



ior posted:

Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc.

I realize that, but I guess I thought the base rules were still comparable to something like pfsense and all the IPS stuff was their own engine. So they're all using their own tech for that?

BurgerQuest
Mar 17, 2009



Yes, and most use custom ASIC hardware to do it very very fast even in the smallest appliances.

I've been using Fortigate since 3.x and really wish I'd bought shares back then hah.

ate shit on live tv
Feb 15, 2004



the only firewall i tolerate is an srx, otherwise i set the rules to outbound nat and icmp only, if security has a problem with the rules they are more then welcome to manage the firewall themselves.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

ior posted:

Depends on how you define most. The big players are definitely not using pf/iptables (Palo, Check Point, Fortinet, Cisco). Keep in mind that both pf/iptables only do ip/port. Whilst a modern NGFW does everything from appcontrol, ips dns security, sd-wan, sandboxing etc.

https://aws.amazon.com/marketplace/solutions/security/firewalls-proxies

How do these sorts of software firewalls/appliances work presumably without their special hardware?

Is it just poorly?

BurgerQuest
Mar 17, 2009



They just implement it all in software yes. A quick glance at the Azure dataset shows throughput info for various xonfigs which can be compared to the same on appliance hardware. I'm on mobile so can't do it directly right now.

Pile Of Garbage
May 28, 2007





Methanar posted:

https://aws.amazon.com/marketplace/solutions/security/firewalls-proxies

How do these sorts of software firewalls/appliances work presumably without their special hardware?

Is it just poorly?

I did a FortiGate-VM on AWS deployment earlier this year. Exactly the same as the physical appliances and worked perfectly. The Fabric Connector integration with EC2 is neat as well. Currently designing a HA setup for another deployment with Transit Gateway.

Methanar
Sep 26, 2013
ASK ME ABOUT NOT TIPPING DELIVERY DRIVERS, OR ABOUT MY DIET OF CANNED BABY CORN AND CHICKEN NUGGETS

Pile Of Garbage posted:

Exactly the same as the physical appliances and worked perfectly

How

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Pretty sure the virtual FTG throughput is terrible like all virtual counterparts, but otherwise indistinguishable

Adbot
ADBOT LOVES YOU

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


All CPU bound firewall poo poo works fine under normal/small load, but caves during a DDoS as their session table maxes out. I'd consider it the same as using pf/iptables/hosts.allow at best.

Related to firewalls, anyone know of software, open sores or commercial, that is made for vendor agnostic firewall source of truth / documentation, and possibly provisioning? I'm picturing a web ui type of thing where you define your NAT rules, and perhaps it can poo poo out a block of code per vendor. It doesn't even need that config part as long as it has an API, we could make it work with .j2 templates or something.

It looks like there's a crusty old sourceforge project that's now dead called `fwbuilder` that does something similar, but it looks like a windows app or someshit.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply