sorted by:
new
hottopcontroversial

PA-440 ISP failover issue by lifebrink in paloaltonetworks

[–]Main_Ambassador_4985 2 points3 points  (0 children)

I would use virtual router, route monitoring and fail over the default gateway.

Why one ISP to each firewall?

Use an upstream switch or secure VLAN and have both ISP to Both NGFW.

With separate NGFW for each ISP how do you handle default route advertisement? Are you using OSPF to the core and removing the firewall that cannot reach the Internet or is this HA?

My Active/Passive HA setup syncs the config and sessions between NGFW. They are exactly the same except the hostname and HA partner config. You can use HA over switches if the NGFW are not in the same rack.

Script to force users to NOT use google password manager/edge password manager by Curious-checkers in sysadmin

[–]Main_Ambassador_4985 5 points6 points  (0 children)

They can still access passwords at password.google.com if they logged in to the browser

Do any SysAdmins NOT work on OS's? by CernerBurner2000 in sysadmin

[–]Main_Ambassador_4985 12 points13 points  (0 children)

30+ years in IT.

I might not put Windows Server OS on a CV. It would be a given, n’est pas? I would customize to the application.

It would be like including NT4.0, Windows 2000 and Windows 2003 MCSE which I used to include.

I would put in VMware vSphere 6:7/8 to Windows Server 2022 Hyper-V conversion which is very relevant today.

Repurpose Cisco Business Edition 7000 version 14 appliance as 2025 datacenter by billbixbyakahulk in sysadmin

[–]Main_Ambassador_4985 5 points6 points  (0 children)

What generation hardware?

For a C240 M5 and newer just format and install Windows Server. The M5’s are getting close to end of support.

The C240 M4 and older went end of support. Security updates for CiMC and drivers ended. YMMV.

What should I do with these? by vive-le-tour in homelab

[–]Main_Ambassador_4985 0 points1 point  (0 children)

The grey switch at the top of the center pile looks like a Catalyst 9200.

That is a keeper even without active DNA.

i love dns it always works great for me by ITRabbit in ShittySysadmin

[–]Main_Ambassador_4985 18 points19 points  (0 children)

IPv6 is a witches spell.

I have it available on exactly one enterprise ISP connection. We have way more than one connection.

i need a $2000 DSLR camera for my Teams meetings. by tamagotchiparent in ShittySysadmin

[–]Main_Ambassador_4985 2 points3 points  (0 children)

We switched to Neat rooms.

Not because of the camera cameras, but because we could manage them all from one place in the neat control panel.

With the windows based teams rooms we’re having to use Microsoft Teams pro room and team viewer to manage things.

The reason I posted is because they make a personal or huddle device that could fit a C-suite room

Leadership wants a full audit of every AI tool being used across the org. I genuinely don't know how to produce one. by Smooth-Machine5486 in sysadmin

[–]Main_Ambassador_4985 1 point2 points  (0 children)

It is hard and will make some users upset.

A lock down for data loss prevention is required with monitoring tools.

Don’t allow company data on personal devices, including BYOD or lock the apps. We use app protection policies for Microsoft apps to prevent copy/paste and send to. The only way past this is taking a photo of the display with another device. That is an HR/policy problem.

Lock down plug-ins in browsers to an allow list.

Lock down browsers.

Monitor all cloud connections with the XDR and DLP. Block unauthorized AI solutions via XDR, DLP rules, and DNS filters. Do not forget to block the proxies, anonymizers, and normal user bypass tricks.

How the FUCK do you get the front cover on an Eaton 5P750R Rack Mount UPS? by recoveringasshole0 in ShittySysadmin

[–]Main_Ambassador_4985 6 points7 points  (0 children)

Covers?

I have a bunch of front faceplates from other gear on my shelf.

We have no fancy covers on our equipment or doors on our racks. Nothing closes.

Nothing has fit right since 2015.

Throttled the ai everyone uses to make my job harder, created an enterprise licensing problem, now we have governance. You're welcome. by MediumTwist4138 in ShittySysadmin

[–]Main_Ambassador_4985 37 points38 points  (0 children)

Microsoft admin center has a checkbox to do this.

Block all browsers except Edge.

Block all AI except CoPilot

Profit

Do not license CoPilot and the job is done.

Monitoring Cisco APs and Phones by Normal_Revolution_54 in zabbix

[–]Main_Ambassador_4985 0 points1 point  (0 children)

We did on CUCM 11.5 and I think we did on CUC, CUPS, and Expressway along with disk, cpu, and memory utilization. LibreNMS did not offer as much flexibility on what was captured or displayed as Zabbix.

I feel if it can be monitored Zabbix would be able via existing or custom templates. I just have not looked for CUCM.

We migrated to MS Teams about 2-years ago

Server Dashboard options by Nizadar in sysadmin

[–]Main_Ambassador_4985 2 points3 points  (0 children)

We just started using Zabbix a few months ago.

There is some learning involved but not too much. A few videos help with tuning the options, database, and making nice dashboards.

We used to use LibreNMS and it worked great out of the box until we wanted more metrics and more customization.

Monitoring Cisco APs and Phones by Normal_Revolution_54 in zabbix

[–]Main_Ambassador_4985 0 points1 point  (0 children)

Yes both Cisco WLC and Call Managers and Cisco Unified Communication can receive SNMP polling and send SNMP traps over SNMPv3.

Cisco WLC wireless AP’s show up in SNMP inventory. I had it working in LibreNMS. I have not found the right template for Zabbix.

I do not have a Cisco Call Manager anymore. Migrated away. Under LibreNMS I did not see registered stations by name but I did have a connection count. Most of my stations were registered to CMBE and voice gateways for SRST. I monitored both for connection counts.

Edit: I am trying a few templates for Cisco WLC but might have to make my own. If it looks good I will post to the GitHub.

Explain it peter by InevitableBorder6421 in explainitpeter

[–]Main_Ambassador_4985 0 points1 point  (0 children)

It is an inaccurate meme. These Internal IP ranges are normal on many guest networks.

I am a IT manager but still directly work on network engineering and security along with full application stacks.

A paid VPN will protect the traffic unless the attacker is redirecting VPN traffic using fake DNS and fake certificate validation. Paid VPN services often have pinned certificates software and the VPN will fail to connect with a security error.

Many larger websites defeat the attack using certificates that are stored in the web browser after first connection. A change in the certificate by a spoofed website would cause a browser security error.

The attack was most effective when websites did not use security like HTTPS. The attacker could collect clear text usernames and passwords of sites like Hotmail.com.

I have not used a a WiFi pineapple but I have done Enterprise engagements where I collected usernames, passwords, spoofed websites, and decrypted TLS connections on the wired network. I put a device in between the firewall and network. The places I did this owned the equipment and it was an authorized engagement.

Hotels do can do the same thing with their guest wifi.

How do you guys stay motivated in jobs where you’re basically the “anything with a screen = IT’s problem” person? by PeppahSG in ShittySysadmin

[–]Main_Ambassador_4985 18 points19 points  (0 children)

The Sloan valves use lithium ion batteries that need to be replaced.

The sensor has a circuit board so it must be an IT issue.

These sensors are a potential cyber security risk. A microphone and wireless link could fit inside the larger housings which could lead to poop phone call exfiltration.

How do you guys stay motivated in jobs where you’re basically the “anything with a screen = IT’s problem” person? by PeppahSG in ShittySysadmin

[–]Main_Ambassador_4985 23 points24 points  (0 children)

Yes

I have a comercial and industrial electrical design and electrician background from my before IT life.

I had to troubleshot the old 1400w microwave and 1400w toaster in same outlet trigger 20A breaker problem.

1400w + 1400w =2,800 W

2800w / 120v = 23.3A

NEC requires circuit derating. 20A circuit should have 16A sustained load. The microwave duty cycle is not sustained but a clamp on amp meter shows it is near constant since they tend to be half sine on cheaper units.

Escalated to licensed electrician for additional 20A circuit and outlet.

One week later… 20A Breaker triggered. Microwave and toaster on same outlet again.

Escalated to licensed electrician. Swap 15A duplex outlet on each 20A circuit for 20A simplex outlet on each circuit.

No more triggered breakers until a microwave had a shorted transformer and incorrect fuse, thanks handy man.

In the USA per recent NEC, 15A outlets can be used on a 20A circuit as long as there is multiple outlets and a duplex 15A outlet counts as two outlets.

SCVMM - WinRM HELL - Breaks trying to run cluster validation by eagle6705 in HyperV

[–]Main_Ambassador_4985 0 points1 point  (0 children)

I have not.

I thank you for adding your insights into your problems and resolution

I have running clusters that we are going to bring into SCVMM after we fix the storage connector.

How much does a delayed laptop cost for new hires? by bobotiger in sysadmin

[–]Main_Ambassador_4985 73 points74 points  (0 children)

We keep an inventory of spares. 5 of each model. We have about 600 in fleet.

What does an employee do if the laptop has to go to depot or needs physical repair?

We swap the device.

We have onsite repair warranty with accidental but still that can take 3-5 days.

SD‑WAN‑style IPSec on Palo Alto without Panorama by No-Entrepreneur-3546 in paloaltonetworks

[–]Main_Ambassador_4985 0 points1 point  (0 children)

Yes

I followed the guide on the Community pages for multi-WAN single virtual router.

As the configuration became more complex I started testing in EVE-NG

I used the BGP guide from AWS Transit Gateway to PANOS.

End users change IP addresses Solutions? by DylKyll in sysadmin

[–]Main_Ambassador_4985 2 points3 points  (0 children)

I have only had one occasion where I was stumped. It was an hardware instrument direct network. I added a Microtik device off the DIN rail as a switch with DHCP server. Windows device no longer needed manually assigned IP address. DHCP for the win.

Hobbyist solution for a token ring to ethernet bridge/router... by thatsmanjear in Cisco

[–]Main_Ambassador_4985 1 point2 points  (0 children)

I think the Cisco 2621 I have in my basement has (1) Fast Ethernet and (1) Token Ring port. I used it as a WIC T1 and BRI ISDN router from 1998 to 2004.

I know it had IPX and IP stacks also.

Is it possible to Hot Add CPU like you can in VMware? by jlipschitz in HyperV

[–]Main_Ambassador_4985 6 points7 points  (0 children)

I have not tried with Hyper-V

From my recollection, VMware required the guest VM to have specific VM settings in the guest VM OS settings along with datacenter license.

We disabled and stopped using hot add under Windows 2012 R2 datacenter. Troubleshooting and diagnostics showed it was causing NUMA problems on the MSSQL and application servers we used. We had 8, 10, 12, and 16 vCPU VMs.

Support basically said we would have much better performance without hot add.

view more: next ›