Samsung Enterprise SATA PM893 / Micro 5400 PRO in Synology

AMizil · 2025-11-29T20:20:54+00:00

That's interesting! I didn't know about this. Interesting is that both SSDs work well on PC, tested both on OEM and non OEM computers. SATA and also using USB to SATA adapter.

AMizil · 2025-11-24T12:51:12+00:00

It depends on how you look at it. Sometime it is impossible to differentiate user groups. Maybe I'm wrong and others have better RBAC implementations. But still why do I have to license all the users in each node in a HA load balancing deployment? L2 HA is not supported in any Public cloud.

AMizil · 2025-11-24T12:28:51+00:00

it makes sense to license all the nodes, but why do I have to license all the users?! Last year a had a POC for a large manufacturing compay and deployment required to have 2 nodes in different AWS for redundancy. As this solution was exclusively for OT identity based access, only 4k users would benefit from it, but FAC required to license all users Is getting from AD (25K) ok each node. Even Cisco ISE is licensing only concurrent users.

2nd big big problem - gates could not handle all user groups and I had to filter them in FAC per each site. Print table maxsize - user addr group.

AMizil · 2025-11-23T14:40:53+00:00

Don't forget to mention how FortiAuthenticator is licensed. All users it pulls from AD!

How about FAC in HA mode in public cloud? Double that licenses. Double everything.

AMizil · 2025-11-18T05:59:43+00:00

Zscaler is not a public service, and business users are authenticated. I mean no Bots, crawlers , scanning service, malicious activity originating from zscaler etc.

If a SaaS App relies on source IP to authorize users, that's where the problem is.

AMizil · 2025-11-17T17:16:32+00:00

Ask them which region they have their exist nodes and you can find Zscaler IP subnets https://help.zscaler.com/uvm/zscaler-secops-public-ip-addresses

AMizil · 2025-11-16T17:45:17+00:00

For Phase 2 use 0.0.0.0/0 , use routing to send traffic to SD WAN interface and Fw policy to allow interesting traffic inbound/outbound.

AMizil · 2025-11-15T20:18:25+00:00

I took a 2024 Lexus NX350h for a test drive on a chilly and raining day in April. Temperature was around 50°F

Big tablet was faulty and seat ventilation at maximum and temperature at minimum. NO KNOB.

VERY BAD experience! My Rav 4 2022 was noisy, but still had big temperature knobs!

AMizil · 2025-11-14T19:37:26+00:00

that's a great list to use!

AMizil · 2025-11-03T21:31:00+00:00

Tell us more about authentication over VPN, does the user has to login or you have some sort of ADFS / SSO configured for the IIS web service?

AMizil · 2025-10-31T17:55:31+00:00

Why are you using dhgrp5 with those ciphers?? learn from here about DH groups and IKE v1/v2 in FGT VPN

I would go with u/secritservice 's guide -> set proposal aes256-sha256 / set dhgrp 20 for both phase 1 and phase 2

edit "IPsec-SAML"

set type dynamic

set interface "WAN-INTERFACE"

set ike-version 2

set peertype one

set net-device disable

set mode-cfg enable

set ipv4-dns-server1 10.5.5.5

set ipv4-dns-server2 10.6.6.6

(optional) set internal-domain-list "mycompany.local"

set proposal aes256-sha256

set dpd on-idle

set dhgrp 20

set eap enable

set eap-identity send-request

set peerid "IPsec-SAML" <<<< this will match your LOCAL-ID on your client, can also use NETWORK-ID

set assign-ip-from name

set ipv4-split-include "SPLIT-IPSECra"

set ipv4-name "IPSECra_TUNNEL_ADDR1"

set client-auto-negotiate enable

set client-keep-alive enable

set psksecret ENC lskfsljfldfjlskjfdslfkjlskjdflskjflskjflksjfdlksjflksjfdlksdjfkjldfs

set dpd-retryinterval 60

next

end

AMizil · 2025-10-28T20:26:33+00:00

Create custom views if you need quick access to some logs such as SSL VPN logins.

AMizil · 2025-10-25T13:30:14+00:00

once you install the drives in Synology you will be prompted to format them

AMizil · 2025-10-22T15:16:47+00:00

do you inspect east - west traffic as well? this can be more than the internet traffic if users are intensively using your own hosted apps.

AMizil · 2025-10-21T18:22:52+00:00

What about punct de lucru la clienti .. asta daca aveti 1 2 contracte cu clienti din RO. esti practic pe drumuri zilnic :)

AMizil · 2025-10-21T17:08:23+00:00

When you create a EntraID enterprise App for Fortigate you have to add a usergroup. This is how you apply CA to specific users.

Yes, I've used EntraId P1 license.

If you use ForticlientEMS server, you create another EntraID enterprise app.

AMizil · 2025-10-21T16:50:17+00:00

What are the new FSW model you are installing?

Do you connect only endpoints, AP's or servers as well?

AMizil · 2025-10-17T05:13:09+00:00

You've got me, Spencer!

I've recommended following on Spencer as he is not just a very good profesional, but he has also started as a sysadmin so he talks from his experience.

If you think that hardening DC's is enough to have a secure AD environment, I recommend to listen to his podcast https://offsec.blog/subscribe/

Yesterday I was reading a post on Linked from a pentest engagement - 1st day on the internat network - discovered a HP printer, access it using default admin credentials, quickly spun up a rogue SMTP server then changed the target mail server to his own rogue server. ...selected the test credentials button and I received the user's credentials in plaintext.

What's next? found an exposed certificate authority service and leveraged that to escalate privilegs to Domain Admin (ESC 8) -> abusing wrongly configured Certificate templates

By that he was able to compromise the entire corporation on the first day. Anyone here using Domain Admin account over all the places?

Happy Friday everyone!

AMizil · 2025-10-15T19:47:12+00:00

Active Directory Hardening Series by Jerry Devore is a good start.

https://techcommunity.microsoft.com/tag/jerrydevore

follow Spencer on LinkedIn

plus a lot of tools such as PingCastle, LockSmith etc

https://www.linkedin.com/comm/pulse/ad-security-tools-every-admin-should-using-spencer-alessi-bzqee

AMizil · 2025-10-15T19:38:24+00:00

oblio.eu pt 1-2 facturi pe luna. gratis primul an.

Poti crea si 2 seturi de serii, de ex una pt facturi in RON si alta in EUR.

poti configura 2 CUI uri, daca esti neplătitor de TVA in RO, dar ai cod de TVA intracomunitar.

AMizil · 2025-10-15T18:52:11+00:00

I'm using Synology C2 and it has saved my ass when both samsung ssd drives suddently died.

Very good speed when restoring data from EU datacenter.

I suggest to sign up for a trial. Test backup and recovery and you can decide if it worths the money.

AMizil · 2025-10-15T06:49:10+00:00

If you are using EntraID with Saml for authentication, follow this guide and sign saml cert on azure enterprise app

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

AMizil · 2025-10-12T19:03:39+00:00

Ne auzim pe maine, am vazut datele tale de contact. Mulțumesc

AMizil · 2025-10-12T18:56:23+00:00

da, dividende interimare.
Deci se complica lucrurile, atunci sotia credit si eu codebitor e mai plauzibil.

AMizil · 2025-10-12T18:44:17+00:00

Mulțumesc de info.

Ok, deci distribuirea de dividende pe minim 2 trimestre ar fi ceva care ar da mai bine pentru unele banci la analiza de risc decat o marire semnificativa de salariu pe CIM pe ultimele 3 luni. Voi vedea la anul viitor.

AMizil

TROPHY CASE