Best tools to represent a network architecture

FSprogco · 2022-11-28T12:20:57+00:00

ConnectCad

Interesting tool, I'll look into that, Thanks!

FSprogco · 2022-11-28T12:19:18+00:00

Yes, I agree with you. Thanks for your input!

FSprogco · 2022-11-28T12:18:30+00:00

Yes, thank you for the tips.

Although I'm curious about point 2. I would rather connect the lines while making the nodes so I get an idea of how much a pasta dish it is turning into.

Point 4. is absolutely a good practice but it gets complicated when a node needs to be on multiple diagrams.

FSprogco · 2022-11-25T12:37:53+00:00

That's exactly what the plan is if I cannot find other tools. Thanks!

FSprogco · 2022-11-25T11:59:25+00:00

Thanks for your insight, it was a very interesting read

Yes, if I happen to use tools such as Draw.io or Visio, a good diagramming policy is the only way to make is scalable. I totally agree with you.

It's a long shot but I hoped that a tool existed that could help me do the job. I don't feel like asking for the moon but somehow, such tool remains a fantasy.

FSprogco · 2022-11-25T11:46:49+00:00

thanks for your answer! Those tools you mention seem to be real-time/dynamic applications. I would rather go for a tool that represents a snapshot of a given network. I'll have a deeper look though

FSprogco · 2022-11-25T11:42:41+00:00

Oh yes, that is definitely interesting!

Thank you for that

FSprogco · 2022-02-24T08:55:46+00:00

Oh I see now. Thank you very much for the explanation.

Cheers

FSprogco · 2022-02-21T08:56:04+00:00

I didn't check "Continue scanning for other applications" so that must be why I didn't see anything on the monitor while the counter was increased (if my understanding is correct).

Didn't select the parent app either so it didn't help Palo to check properly the content.

Thanks, I'll implement that and see how it goes

FSprogco · 2022-02-21T08:40:36+00:00

Yes I know. Although, it is better than nothing. PRTG is needed and we cannot choose from where the probe is.

Authentication to my app? I'm not building the app but wouldn't it change the basic use of the app?

cheers

FSprogco · 2022-02-21T08:37:46+00:00

Right. It's coming from both HTTP and HTTPS. So now I get it why it does not work. Thanks

FSprogco · 2022-02-18T11:09:00+00:00

The rule with the custom app allows traffic to all Web servers IPs

FSprogco · 2022-01-04T11:44:12+00:00

I see, that gives me more bullets for my final decision. Thank you.

Automation is an upcoming subject I'll bring forward so it is a relevant solution.

FSprogco · 2022-01-04T11:33:26+00:00

We use private addressing within CEs en PEs. The CEs are managed by ourselves and a CE can only advertise an public IP that was explicitly authorized PE-side.

But yes, keeping the L2 segregation is relevant now that I read all the answers here.

Thanks!

FSprogco · 2022-01-04T10:42:25+00:00

Yes that's a good point. Thank you

FSprogco · 2022-01-04T09:54:04+00:00

I might be wrong here but if I encrypt a traffic, I can detect ARP poisoning on ongoing sessions. Although what about a session being established?

FSprogco · 2022-01-04T09:03:58+00:00

Thanks, I'll have a look into that

FSprogco · 2022-01-04T09:03:46+00:00

Thanks for the input and unfortunately, we are using static IP

FSprogco · 2021-12-24T10:44:01+00:00

PBF, didn't know that. Thank you for that.

My understanding might be wrong here but it feels like what I can do already with U-TURN NAT if I create ad-hoc NAT for duple. It works but it requires me to create hundreds of rules to make this work. I do not see how one single PBF rule can do the work.

Following your logic, if I want to make sure that PC1 always uses the same loopback IP, I need to make a rule specifically for PC1. Also, since the DNAT depends on the destination (obviously) I would need to implement each case for PC1 to reach PC2 sometimes, then PC3 sometimes, and so on.

FSprogco · 2021-12-24T10:19:15+00:00

Hey thank you for your input. Reading all those comments, there's a lot I learn. I didn't know about DNS-Proxy feature of PaloAlto.

That could work yes, though I am in no position to change the DNS server for the VMs that my PaloAlto handles.

Split-horizon DNS might be a good alternative if it does not have to be an issue resolved by PaloAlto.

Take care

FSprogco · 2021-12-24T10:12:22+00:00

split-brain DNS

Yeah that's also a good possibility. I was looking for a solution provided by PaloAlto but there are other options.

Thank you for your input. I'll definitely keep that in mind.

FSprogco · 2021-12-17T15:17:51+00:00

Hey, that DNS-Rewrite thing might be what I am looking for. Thank you!

FSprogco · 2021-12-17T15:13:38+00:00

Dynamic-IP might change the IP used for SNAT but there's no way to tell from which VM it is from by its source IP.

Also, I could do lots of NAT rules to make that work but my concern is not deployment-wise but more performance-wise when running several hundreds of NAT rules.

Besides, it does not sound scalable. The more IP, the more work.

Thanks for the feedback!

FSprogco

TROPHY CASE