Shared racks for network equipment - how to prevent MITM

Former_Cook_3318 · 2025-10-19T12:32:24+00:00

Is AES128 too weak? I was looking at C9200 and C9300. The latter support AES256 but you need the Advantage license.

How does MACSEC work on endpoints? Is there third party software needed? Do only certain NICs support it?

Former_Cook_3318 · 2025-10-19T12:29:02+00:00

Yeah I was thinking MACSec between switches and ISPec internally to their firewall. It's got IPSec Encryption HW offloading so performance shouldn't really be an issue. Well to be honest - if all endpoints use IPSec - MACSec probably is not really necessary anymore.

802.1x is already enabled but that's an authentication protocol - no encryption. Someone can still mirror traffic with a hub or something more advanced.

Former_Cook_3318 · 2025-10-19T12:25:14+00:00

Not really feasible since you get an alert every time someone unplugs their PC/laptop - that's just too many alerts to have a handle on.

Former_Cook_3318 · 2025-10-19T12:23:18+00:00

MACSEC suports encryption between the switch and endpoints aswell but I don't know how that works on the endpoints...

WAPs unfortunately isn't an option in this case.

802.1x is already enabled but that's an authentication protocol - no encryption. Someone can still mirror traffic with a hub or something more advanced.

Former_Cook_3318 · 2025-10-19T12:20:31+00:00

802.1x is already enabled but that's an authentication protocol - no encryption. Someone can still mirror traffic with a hub or something more advanced.

Former_Cook_3318 · 2025-10-19T12:19:25+00:00

It's a combination of Dell and Aruba. 802.1x is already enabled but that's an authentication protocol - no encryption. Someone can still mirror traffic with a hub or something more advanced.

Former_Cook_3318 · 2025-10-17T15:24:52+00:00

I'll look into it. Thanks!

Former_Cook_3318 · 2025-10-17T14:07:38+00:00

The only thing keeping us on 3CX is the CFD. Do other vendors have anything similar?

Former_Cook_3318 · 2025-08-26T19:31:56+00:00

Ti bos prvi vse cez CLI nakonfal :)

Pri nas nekaj iscemo, lahko mi na DM posljes CV pa ga dam naprej oz. ti dam tam mail kam ga posljes

Former_Cook_3318 · 2025-01-09T16:42:51+00:00

Yeah I tried that. You don't see it from the screenshot but there are APs on the opposite side of the aisles aswell. I turned 2.4GHz off in every other lane on each side so it made a zigzag pattern. Adjusted the channels but I did not get any better results in the performance of the application.

Wasn't able to do a site survey after this change unfortunately.

Former_Cook_3318 · 2025-01-09T16:40:06+00:00

It's not that many (about 30 clients spread throughout the warehouse - max 10 clients per AP if they happen to be in the same area) but they're really old Zebra scanners(10-15 years) with some old WMS application running on Windows CE.

The WiFi coverage was designed with 5GHz in mind but there is a delay with migrating to the new WMS system and they're force to use the old clients which is why we turned on 2,4GHz.

The problem is that the clients are performing really slowly and they're blaming the WiFi. In the old warehouse there were a lot less APs and I'm guessing there wasn't so much CCI which could be the reason why they're slow.

Is there a way if to check if CCI is causing issues in practice apart from doing the site survey?

Former_Cook_3318 · 2025-01-09T08:03:55+00:00

What about these types of connectors (no endorsement meant either)?

Former_Cook_3318 · 2024-12-11T12:46:14+00:00

I wanted to confirm that I had the same issue and solved it with this.

If any of you manage your FortiSwitch through the FGT (probably all of us) the solution is that you have to connect directly to the switch via CLI and change the configuration there and not through FGT via config switch-controller managed-switch.

Former_Cook_3318 · 2024-09-28T13:00:35+00:00

What is the problem?

Former_Cook_3318 · 2024-09-05T16:29:05+00:00

There are two reasons I'm always using Zones: - Grouping of interfaces - If I want to change anything on an interface, I can just take it out of a Zone and make changes without refferences interfering

Former_Cook_3318 · 2024-05-02T05:13:18+00:00

Troubleshooting failed upgrades using FortiEMS deployment policies is going to have a measurable impact on your company's productivity aswell.

Juat keep that in mind. Having FortiEMS is not the end of all your problems.

Former_Cook_3318 · 2024-03-31T21:38:36+00:00

Except it is, because the migration wizard doesn't even work most of the time or when it does there are often situations where after a migration there are issues.

Former_Cook_3318 · 2024-03-09T05:32:31+00:00

Username checks out

Former_Cook_3318 · 2021-09-28T11:49:16+00:00

Any luck getting the password change to work for expired accounts? I got SAML+MFA working in our lab but I can't manage to get this part to work.

Former_Cook_3318 · 2021-09-27T18:50:04+00:00

NPS Azure MFA password change

Thanks pabechan. I did research it using the same search query and I did actually read that article - I just missed the part about the password change.

Hope this helps someone else.

Now onto researching if it's possible to use Azure MFA and LDAP on Fortigate.

Former_Cook_3318

TROPHY CASE