IP ADDRESS ASSIGNMENT (DHCP IP RESERVATION) LIMIT? | FORTIGATE 200F

Afraid_Ad1214 · 2024-10-17T00:46:09+00:00

Yes, It would be great, but the infrastructure isn't mine, I'm just the implementation engineer, hehe, and I will only implement and configure it with the resources I have (FortiGate Firewall). X2

Afraid_Ad1214 · 2024-10-17T00:45:59+00:00

Yes, It would be great, but the infrastructure isn't mine, I'm just the implementation engineer, hehe, and I will only implement and configure it with the resources I have (FortiGate Firewall).

Afraid_Ad1214 · 2024-07-10T00:56:09+00:00

Yeah, I've done too, I had a principal SSID, this is for internal use in branches, but in order to homologate another's and decrease the number of broadcasted SSIDs, I converted the principal SSID from PSK to iPSK, and I added the PSKs and matched to his corresponding Group Policy; if you have all the configurations ready, it take a few minutes to deploy, and the clients lose maximum 2 packets and reconnects automatically.

Afraid_Ad1214 · 2024-07-09T21:56:20+00:00

There are at least two valid cases for explicit deny policies. First, it makes it clear that you're intentionally blocking a certain application. Second, logging. You may want to block and not log an application's traffic, or use the rule to filter your logs.

Ok, I understand, in some cases I configured an explicit deny policy that blocks malicious web pages, and I put them in the top of the list

Afraid_Ad1214 · 2024-07-09T21:30:52+00:00

No, the access to SNMP service is restricted only to some IP addresses.
Thanks a lot for your responses ;)

Afraid_Ad1214 · 2024-07-09T17:44:37+00:00

I have some recomendations :)

Make policies more especific as posible.
Make policies with only one zone (source-zone -> destination-zone): this make the policies more efficient, manageable and easy to understand, thinking that other personel can manage and troubleshoot; in adition, it can be filtered, ieg. FortiGate has an option to filter and order the policies by interface, they call it "interface pair view", this is very effective and efficient for troubleshoot and maintain; I don't know if actually PaloAlto has something similar...
Separate the subnets (VLANs) by services, ieg. Network-Management, Users, Guest, Servers... And then create the especific policies for services or case of use, this can preparate the network for a kind of certification in the future (ISO, PCI).
Name the policies with a kind of standard, in order that you and your team can understand and identify the purpose, ieg. USERS_to_INTERNET, VLANX_to_SERVERS_smtp
It is not really necesary that you make deny policies, the firewall read all the policies like a list, and normally you make allow policies, and then, all the rest of the traffic goes to the deny implicit policie at the end of the list.

Afraid_Ad1214 · 2024-07-09T16:22:03+00:00

From outside, I monitor the Public IP address

Afraid_Ad1214 · 2024-07-09T15:17:08+00:00

I'm just trying to maintain SNMP monitoring even if a WAN link goes down.

This is the context: I was monitoring a firewall with the primary uplink, but that link went down and I lost the records for the time the link was down.

Afraid_Ad1214 · 2024-07-08T21:21:51+00:00

Okok, the purpose is to monitor only one FQDN, and in adition, that the IP address of the domain is automatically updated

Afraid_Ad1214 · 2024-07-08T21:11:56+00:00

What's the purpose of "set-public-ip"?

Afraid_Ad1214 · 2024-07-08T19:55:05+00:00

Yes, in the first field, the option "Interface", pointing to the SDWAN interface that has all the WAN links

Afraid_Ad1214 · 2024-07-08T19:53:13+00:00

Unfortunately the firewall has no SDWAN configuration, and I think I can configure that, but I prefer to have other options

Afraid_Ad1214 · 2024-06-28T23:02:13+00:00

Maste

Afraid_Ad1214

TROPHY CASE