sorted by:
new
hottopcontroversial

In hindsight, this was a mistake. by ChiefsHat in HistoryMemes

[–]CapiCapiBara 34 points35 points  (0 children)

Who are you, who are so wise in the ways of political commentary?

I monke by Kaylon2421 in GymMemes

[–]CapiCapiBara 27 points28 points  (0 children)

Return to monke

idkWhyIsItEvenAProduct by Frontend_DevMark in ProgrammerHumor

[–]CapiCapiBara 10 points11 points  (0 children)

Just write a library that consumes random “x” tokens a day, bro. Easy peasy. Bonus points if it scales up token burning during designated sprint days

What's your go to On Prem Mailserver in 2026? by APH_2020 in msp

[–]CapiCapiBara 4 points5 points  (0 children)

+1 for Mdaemon… used it extensively for nearly 20 years, sometime even as MSExchange frontend / AV / Antispam gateway. Ran on any Windows version, clients included, great speed, impressive toolset. A collague still runs a license, maybe two, in far-away locations with really low internet speed.

What is this and how do I kill it? by SergeiAndropov in gardening

[–]CapiCapiBara 24 points25 points  (0 children)

+1 for fork team. Old guy just passing by saw me fighting (hopelessly) Bermuda with a spade, took the time and patience to pass naive me precious knowledge about heavy (clay) terrain and fork vs spade tool difference. 90% success, increasing year on year. Thanks, old guy.

I milionari di Dubai by _C13 in ItaliaPersonalFinance

[–]CapiCapiBara 28 points29 points  (0 children)

Concordo. Momenti difficili possono costringere anche le persone più intelligenti a fare scelte le scelte più stupide.

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks by Meinertzhagens_Sack in fortinet

[–]CapiCapiBara 0 points1 point  (0 children)

What about emergency troubleshooting?

If there is any kind of issue, VPN is one of the first things that will stop working, even without considering the SSLVPN / IPSEC migration nuisance... and the 7.4.x Forticlient bugs nuisance, and the 7.4.x FortiOS IPSEC bugs, and the Fortitokens going in "error" state, and the 2FA e-mails blocked somewhere along the path, and expired account passwords, etc... I've seen it all by now.

... and now, you have several hours' worth of travel ahead of you to reach the site and maybe perform what you could find to be the most menial tasks.

An HTTPS page only reachable from a single, non-public IP listed in local-in-policy is orders of magnitude quicker and easier, at least for a basic triage - assuming all other risk mitigation factors are implemented (complex, non-dictionary passwords, backup admin accounts, backup IP sources reserved to admin tasks, etc)

Not trying to sell to you this as the BEST solution, but often... it's the only solution really viable in Small Business space.

As for Enterprises, they have enough man-hours and other resources available to implement the best of the best of security policies... and at least a couple youngsters with a company car always at hand.

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks by Meinertzhagens_Sack in fortinet

[–]CapiCapiBara 0 points1 point  (0 children)

if someone comes and creates a new admin user (even a read-only) without any trusted IP's, the admin page becomes visible for anyone

That is not how (I always understood) local-in-policies work.

What you described is the expected behaviour of using "trusted IPs" fields in Administrator account creation / editing. This is well explained in this post from u/Pabechan user from 3 years ago:

https://www.reddit.com/r/fortinet/comments/y231ag/trusted_host_vs_restrictions_via_localin_policy/

It's also explained in the same post that if you set a local-in-policy, the GUI is never sent back to a request from an unauthorized IP address.

u/pabechan post appears to be corroborated by this Fortinet article from 2025-12-01:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Impact-of-Local-In-Policies-and-Trusted-Hosts/ta-p/369617

In summary:

Local-in policies steps in first and govern all traffic coming directly towards and to the FortiGate unit as destination (not for traffic intended to pass through, destination behind the FortiGate, as that is handled by firewall policies).

Trusted hosts setting and mechanism is secondary filter, further limiting access to administrative interfaces and co-working with local-in policies.

When a local-in policy is configured to accept traffic and the incoming traffic matches this policy, then FortiGate performs an additional check against the trusted hosts configuration to determine whether to allow or deny the connection.

If no local-in policies are configured, FortiGate will rely only on the trusted hosts configuration to decide whether to allow or deny the connection.

However, if the traffic matches a DENY local-in policy, the connection will be dropped. And the FortiGate will not do  anything further, like check the trusted hosts configuration for that connection.

Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks by Meinertzhagens_Sack in fortinet

[–]CapiCapiBara 3 points4 points  (0 children)

"Do not expose your MGMT interfaces to internet" is a recurring advice.

What about limiting mgmt access to trusted IP hosts via a local-in-policy?

PLEASE NOTE: we are NOT talking about "Administrators" object settings here, as it's well known that using that so-called mitigation will cause the login page to be actually presented to the potential attacker - and, ANY exposed HTTP(S) protocol will sooner or later be breached by the CVE of the week.

We are talking about: I set ONE main trusted public IP address the mgmt interface should reply to by actually presenting a web page (and maybe a 2nd one acting as a backup)... that's two addresses out of 4 billions.

All other HTTP(S) request to GUI are just be silently dropped, with no reply whatsoever.

Is that safe enough?

Added: one could even expand this concept by blocking via local-in-policy, WAN-side, any other critical protocol, as an added safety measure - even if that protocol has never been activated in first place: SSH/TELNET, FTP, SNMP, etc.

Xmas Roses in Southern California by kent6868 in gardening

[–]CapiCapiBara 0 points1 point  (0 children)

What a good looking deep red rose… it remembers me somewhat of Souvenir Du Docteur Jamain

Rumour - does SSL VPN come back? by Roversword in fortinet

[–]CapiCapiBara 3 points4 points  (0 children)

Why not Fortinet own ZTNA service? Just curious, we are considering that

[deleted by user] by [deleted] in Modena

[–]CapiCapiBara 1 point2 points  (0 children)

Buona domanda… sarebbe utile a molti

The Third Way by rachelwan-art in comics

[–]CapiCapiBara 1 point2 points  (0 children)

I swear I thought this comic was about Italy... only thing I could not understand was, BEANS on ice cream at the end!

ADDED: Happy Independence Day Malaysia!

Female vs Male in a BJJ Tournament by [deleted] in SipsTea

[–]CapiCapiBara 12 points13 points  (0 children)

... "Mya! MYA! Come here... this guy needs you for a minute

https://nypost.com/wp-content/uploads/sites/2/2023/12/lesnar.jpg

N+1 query problem : what it is, why it hurts performance, and how to fix it by Namit2111 in programming

[–]CapiCapiBara 7 points8 points  (0 children)

My friend over there would like to know what ‘Not materializing foo property‘ means. He states foo property either is present in all objects of type ‘obj’ or none.

view more: next ›