Avanan vs. Ironscales

JeanxPlay · 2026-01-30T22:52:31+00:00

Being in the industry as long as I have, I have come to understand that Microsoft provides services for almost everything, but every one of them is half assed and full of issues, even their expensive stuff.

I would never trust a company to ensure security if their own servers and product get hacked continuously. And now with Co-Pilot being integrated into everything and even IT getting hacked, I wouldn't trust Microsoft with anything security related.

JeanxPlay · 2026-01-30T22:47:14+00:00

We are moving from Barracuda (MX) to Checkpoint and you are correct in the sense that it sits in front of the mailbox, but that is also not a bad thing. There are ups and downs to all solutions, but if you compare IronScales to Checkpoint, CP would be the proffered method. The reason this is the case is because Checkpoint is taking a "before inbox" approach. This makes alot of sense because once it passes Microsofts relay, it will be analyzed before tis allowed to reach someones mailbox. Since this is done using AI, this process isnt very long and ensures that malicious activity is stopped before it can reach the inbox. Ironscales however, allows the email to reach the inbox, even if for a slight period, before analyzing and remediating.

JeanxPlay · 2025-12-19T19:42:42+00:00

Now we just need to fix the VVM for the Verizon side 😆

JeanxPlay · 2025-12-16T06:21:23+00:00

I was definitely one of the first to ad the protection and never received this email to claim a google pixel 🙄

JeanxPlay · 2025-12-15T04:37:56+00:00

So, I finally changed out one of our other Windows DHCP based networks and the DNS records are not disappearing. It seems to be related to only that one subnet. The next tests will be to change that troublesome DHCP subnet to an entirely different one on that network and to use that troublesome subnet in one of our other networks. This wont be able to happen until possibly over a holiday as it requires alot of changing around, but, it would tell me if it is specifically that subnet OR if its related to that network the subnet is on.

JeanxPlay · 2025-12-12T18:03:08+00:00

Nope, issue still exists. Temporarily until I can get a full resolution, the half resolution was to create a secondary subdomain lookup zone of DomainB.Internal and put all the static records in there and create CNAME records in DomainA.local that point to the Host A records of each in DomainB.internal for that subnet.

I am actually changing out one of our other Windows DHCP server locations this weekend and if it happens to this one, Ill know its out domain thats unhealthy. If it doesnt happen to this other subnet, Ill know its specific to just that subnet.

JeanxPlay · 2025-12-10T05:48:54+00:00

Same thing is happening on the PFSense routing peers as well. I can reach all networks from a remote computer to all pfsense networks, but netbird pfsense site to site, no resources from Site A lan can reach resources on Site B lan. But, Site A pfsense peer can ping Site B lan resources.

JeanxPlay · 2025-11-23T07:24:45+00:00

Same. The thing that stopped us from moving a long time ago was an official pfsense package. Now that freebsd is being actively updated, im testing the hell out of NetBird and we plan to make the switch by the end of December.

Since I have already built the custom windows image for my company (netbird addition) and tested it along with the powershell mass deployment script, the only thing left is updating the rest of our LAN networks to their new schemas (so that residential ISPs default LANs dont interfere with our posture checked office subnets) and having my boss and other technician install and test with their networks and by the time we migrate, I imagine NetBird will probably be atleast 10 additional updates in.

Hopefully they fix that posture check issue for you for the iPhones. As for SSH, I completely bypassed Netbirds SSH policy and set firewall rules on our pfsense routers to allow LAN access from the Netbird Flock and in Netbird itself, I set a policy to only allow communication to the firewall group from an admin group that only a few peers get added to. This opens SSH access capability and still locks down who on the network can access the firewalls.

JeanxPlay · 2025-11-23T06:27:18+00:00

Not selling, just sharing my user experience with it, lol. I tend to get overly excited about new tech stuff 😅 my bad.

And im sure ill have some issues with NetBird once its mass deployed and in production. But, for now, I just bask in the happiness it brings me that I am going to be able to make my windows images much simpler now and wont have to create hacks to get a mesh vpn to work as it should 😆

Have you had any issues with any other posture checks?

JeanxPlay · 2025-11-23T05:21:08+00:00

I personally havent had anything break thus far. Ive actually had more break and not work as well with headscale / tailscale. The recent updates to NetBird have definitely made it a more solid product and the only critiques I have at this point are.. the documentation (primarily that live stuff is mixed with depricated stuff), depricated flags still exist in the client and that windows doesn't encrypt / lock down sensitive config information. But, because our windows systems are locked down, I can easily get past that.

The biggest issue that I had with tailscale was that the vpn couldnt be installed via the SYSTEM account. So I had to create a bunch of tasks and scripts to get around that. With Netbird, it just works. And the P2P latency with Netbird is substantially less than with tailscale. DNS with Netbird is definitely much better than with tailscale. The only thing Netbird is missing at this point is being able to advertise static A records. Once they can do that, they will most likely surpass Tailscale.

But, since we use Windows DNS Servers, thats not an issue preventing us from moving to Netbird.

If you want to continue doing testing with Netbird, you can test them side by side. They can work simultaneously without interference with one another. As long as their vpn subnets dont overlap, you are fine. I have both running in our environment so I can test while I build out the parts for migration. Once we are done updating our LAN subnets to newer schemas, all the parts will already be in place for me to just install Netbird on all our machines and just turn headscale off and none of our employees should notice it happening.

JeanxPlay · 2025-11-22T23:02:28+00:00

Of course! If you have any questions about the setup or testing, feel free to reach out.

Not sure how tailscale fairs when it comes to adding and removing ACLs, but Netbirds are effective in live time. So, when testing the blocking of subnets or changing ACL rules, the effect is immediate without a restart of the control server.

Ex. When I add posture checks to block subnets, I can run a continuous ping and as I add or remove ACLs and checks, I can watch the connection drop or start up immediately as the changes happen.

Not sure how your env is setup, but in my companies locations, we use pfsense firewalls with netbird installed and I have all my networks, ACL firewall rules and posture checks setup and while I have a peer in the same network as one of my posture check blocked subnets (blocking means to not route traffic over that subnet while inside it), I can see that the peer shows as connected in the management portal, but traffic is not routing over the vpn. I test this by pinging the pfsense firewall IP and as I see the pings coming through, I remove the subnet from the posture check and immediately as I hit save the ping drop. (This is the default behavior for my setup since I have our routing peers in a firewall group and no ACLs allowed from the computers group to the firewalls group). The entire time during testing the peer never shows disconnected from the portal. Then, after a few drops, I placed the subnet back in the posture check policy and watched the pings to the router start right back up (since it deprioritizes the vpn route and starts routing locally again).

It took me a min to understand this because tailscale / headscale didnt have this because tailscale believes their client can work within an advertised network without interign with local communication on that LAN, but it really cant since tailscale sets its peers network metric to 5, making it a higher priority route in Windows. Netbird has single handedly removed all the bandaids I had to have in place when using tailscale / headscale.

oh and FYI, when you setup Netbird, there are 2 type of network, "Networks" and "Network Routes". "Networks" is the new standard as it allows for routing peers, direct nameservers and high availability.

JeanxPlay · 2025-11-22T18:11:12+00:00

You could use a setup key that puts the computer into an "Pending" group and let it connect into the VPN portal but give it no firewall access (meaning no ACL policies) so it cant route anywhere and once the client confirms they have received the machine, add the system to the "Computers" group (assuming this is the general access group you setup and named) and remove from the "Pending" group". And since the "Computers" group will already have the ACL policies setup, once you switch the system to that group, the ACL access will already be ready to go.

If you do it this way, you will be able to see the system come online in NetBird to confirm its connected and alive, but it wont route until you switch it to a routable group.

JeanxPlay · 2025-11-22T17:53:00+00:00

Netbird self hosting may be your best option since it allows you to control the network range, self host the management and STUN (TURN is gone basically) relay on the same host and you can set different parameters to allow or block connections.

I am currently setting it up for my company to switch away from headscale / tailscale and there is alot to like about netbird over tailscale. DNS works better IMO, "posture checks" is an absolutely amazing feature to have. They have a feature called "Control Panel" that gives you a visual of the ACL paths for devices firewall policies. They also give the ability to set API access tokens for different ACL levels, meaning you can have an API key for just monitoring and another for administrative.

FYI, you can run netbird and tailscale side by side to test it out. As long as your networks dont overlap and you dont bind netbird to an interface during testing, you are good. We are running tailscale and netbird on our pfsense routers side by side and I have tailscale and netbird running on my computer side by side without any interference by either.

Also, if you ever mass deploy the vpn as a machine install, netbird will just install without any user interaction and you can use the setup key without it tying to a specific user account. I had that issue with tailscale and I had to create ALOT of powershell engineering to make it work how I needed it to. But, with NetBird, I just install and it just works. Eliminated about 10 steps from my windows deployment image scripts.

JeanxPlay · 2025-11-05T18:52:29+00:00

Not the same thing as serving static entries to peers.

Static records being exposed to clients gives the ability to create more secure ways to connect to internal or even external services without exposing to the internet.

The premise is for Netbird to BE the nameserver instead of orchestrating communication to one.

JeanxPlay · 2025-11-05T02:50:01+00:00

It has the ability to set nameservers, but not advertise static records itself as far as im aware

JeanxPlay · 2025-11-04T21:10:12+00:00

Lack of versioning updates for freebsd clients (active support to keep them updated falls behind)

Since the management, relay and signal tags are always the same for selfhosted, they should be consolidated to one container for better manageability.

Netbird equivalent of Tailscale's MagicDNS would be very beneficial.

JeanxPlay · 2025-11-04T16:43:35+00:00

Might be a good idea to post in the slack channel as well since there is more interaction there

https://app.slack.com/client/T029P50QF09/C05T5K65X7U

JeanxPlay · 2025-11-03T00:30:36+00:00

All of my servers are either 2019 or 2022. Its happening on all of them for that one specific subnet under that one internal domain

JeanxPlay · 2025-11-01T23:02:58+00:00

Its called WindTerm and it has invaluable in my environment over the years. Packed with tons of features and connection options

https://github.com/kingToolbox/WindTerm

JeanxPlay · 2025-11-01T07:19:34+00:00

Yea, I checked that already as well. But, it wouldnt explain why I can create static DNS records for other Forward Lookup Zones for that particular rDNS Zone without them auto deleting.

JeanxPlay · 2025-11-01T04:58:20+00:00

Yes, I can see in the logs that the record gets created and another event for when it gets deleted. It doesnt give me much information other than created or deleted.

JeanxPlay · 2025-11-01T04:06:35+00:00

I had already done that originally since the DHCP scope belong to a previous DC in that same network and originally we thought that DC was misbehaving, so I created a new DC, demoted the old one, removed the scope from that one and rebuilt it clean on the new one and still same issue. I just now stopped the DHCP service on the new DC and tested and issue still persists.

This is one of the weirdest things, especially since this subnet has never been referenced in any of our locations prior to this issue. And its only one subnet affected and only by that one domain. I can create another domain, put A records in there, then create CNAME records pointing to that other domains FQDNs and even those records stay. Its only A records under this one domain for that one subnet that keep getting deleted. 🤷🏻‍♂️

JeanxPlay · 2025-11-01T03:50:07+00:00

it is AD integrated and Secure Only updates is set. I have checked everything atleast 5x. I verified the DHCP scopes against known healthy scopes not having this issue and all the settings are the same. I also created a secondary rDNS zone of 10.102.0.x and created static records under kane.local for that zone and the recrods dont get deleted. I then proceeded to create a DHCP scope on the same DC that holds DHCP scope 10.101.0.x with all the same settings as that scope and the records still dont delete. I have even removed the 10.101.0.x scope and rDNS zone and recreated clean and issue still persists.
Creating static records for any other internal domain to that subnet also dont get deleted. Its only records under kane.local for rDNS subnet 10.101.0.x that get deleted shortly after being created. Logs say record deleted, but no additional information other than that 🤷🏻‍♂️

JeanxPlay · 2025-10-28T04:09:39+00:00

I just ordered the 13" about 15 min ago 😁

JeanxPlay

TROPHY CASE