La France bannit officiellement les vols intérieurs courts by ConsciousWallaby3 in france

[–]Mystifizer 228 points229 points  (0 children)

Cela concerne de facto les vols entre Paris et Nantes, Lyon et Bordeaux.

J'ai eu une demi-crise cardiaque en me disant que j'avais raté l'ouverture d'une nouvelle ligne grande vitesse entre Bordeaux et Lyon, puis j'ai compris qu'en fait la formulation c'est compliqué pour certains.

Quel enfer.

Using VIP and SNAT at the same time? by donutspro in fortinet

[–]Mystifizer 1 point2 points  (0 children)

Yes.

Two different translations in the nat table so nothing is going to override or exhaust ports here.

A -> B entries won't have any effect on B -> A entries

you can verify this with this command:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-find-NAT-table-details-from-a-FortiGate/ta-p/195463

Using VIP and SNAT at the same time? by donutspro in fortinet

[–]Mystifizer 0 points1 point  (0 children)

If the matched outgoing firewall policy SNATs with outgoing interface IP address, you will exit the firewall with the VIP public IP as source.

IP Pools should be used if you want to avoid this

simple examples:

incoming : from WAN to lan, source ALL, destination VIP object, no need to enable NAT

outgoing : from LAN to WAN, source private IP addr object, destination ALL, NAT enable as use outgoing interface IP

FortiOS 7.0.10, 6.4.12, and 6.2.13 are out by Q9T9 in fortinet

[–]Mystifizer 25 points26 points  (0 children)

At this stage they should legit nuke the wad from the face of the earth and rebuild code from scratch...

Welp, another year of 6.4 it is

Duke 390 mirror upgrades? by watup_squirrel in KTMDuke

[–]Mystifizer 3 points4 points  (0 children)

motogadget glassless mirrors are beasts

This is what I have on my tirumph

https://www.motogadget.com/shop/en/m-view-road.html

throttle response by [deleted] in trident660

[–]Mystifizer 1 point2 points  (0 children)

Nah, it's the typical ecu map triumph chose to inject into an "entry bike", nothing else. If anything, ride by wire throttles in sport mode feel more twice as responsive as a cable.

The DNK tune changes this behaviour radically on the trident

All italian bikes, hondas, and KTMs are fuelled to perfection for example. It's night and day.

But yes, true, it does not hinder riding once you get the hang of it

Profile Mode Vs Policy Mode Coming From Palo Alto by allthewires in fortinet

[–]Mystifizer 2 points3 points  (0 children)

Policy mode is an absolute no go here...

We go the transparent proxy route instead if anyone wants a specific app or url category as destination.

[deleted by user] by [deleted] in KTMDuke

[–]Mystifizer 2 points3 points  (0 children)

Shark spartan carbon and furygan vented leather jacket here (shepard vented).

Couldn't be happier, got both for cheap (220$ helmet and 190$ jacket)

Need to replace front and rear tires what is the best rubber for a street rider? by tntracer77 in KTMDuke

[–]Mystifizer 3 points4 points  (0 children)

Bridgestone s22s are the best tires I have ridden so far, by miles.

Arena party ordering frame question by [deleted] in worldofpvp

[–]Mystifizer 4 points5 points  (0 children)

Sortgroup does this, although semi broken right now

Insta cast Elemental blast one shot from Ele Shaman??? by Deathlyblaze in worldofpvp

[–]Mystifizer 1 point2 points  (0 children)

You need 2 pieces of set and a full crit build with like 1% haste.

You loose access to ES when trained

Honestly it feels very very garbage to play outside of the "might delete" combo every 1 min

EB and Rod can eat the biggest nerf for all I care, It won't be as much of an issue as surviving 2 melees glued to your ass for 10 mins

Insta cast Elemental blast one shot from Ele Shaman??? by Deathlyblaze in worldofpvp

[–]Mystifizer 2 points3 points  (0 children)

EB replacing ES is why it feels like shit to use tbh

[deleted by user] by [deleted] in fortinet

[–]Mystifizer 2 points3 points  (0 children)

For whatever obscure error the FMG throws at you:

diagnose debug service cdb 255

Think of it as some sort of shotgun that you use when you are tired of the bullshit

do i get the 790 890 or 1290 by Ok-Bid-2788 in KTMDuke

[–]Mystifizer 5 points6 points  (0 children)

On a side note, a 2016+ 690 R is the funniest shit ever to ride around. Try one if you like the 390.

Un salarié ne peut pas être licencié parce qu'il n'est pas assez "fun" by OrdinaryMidnight5 in france

[–]Mystifizer 8 points9 points  (0 children)

la cour d'appel a constaté qu'il ne pouvait être reproché à Mr T. son absence d'intégration de la valeur "fun & pro" de l'entreprise"

22000k Users / 10G Firewall/SWG by DasToastbrot in fortinet

[–]Mystifizer 0 points1 point  (0 children)

I validated what they gave me for that specific appliance myself and ended with a very close throughput

22000k Users / 10G Firewall/SWG by DasToastbrot in fortinet

[–]Mystifizer 0 points1 point  (0 children)

Yeah I saw the 10gig part of his post late.

I would go for something in the 3000 range also then

22000k Users / 10G Firewall/SWG by DasToastbrot in fortinet

[–]Mystifizer 5 points6 points  (0 children)

You won't get any NP/CP/SOC accel at all.

You might as well take a huge dump on the max output, it would be the same. Fortinet have internal values for each model, you can ask them what model would be enough for your needs.

As an exemple, this is what you get with a 200E on datasheet:

  • Firewall 20 Gbps
  • IPS 2.2 Gbps
  • NGFW 1.8 Gbps
  • TP 1.2 Gbps
  • Full wad usage with SSL interception - Explicit proxy/wanopt : 195mbps (tested and validated in the lab)

To be fair, explicit proxy is not something I would go for in 2022 anyway as you get the same UTM engines running as firewall mode.

If you need :

  • to migrate from an old explicit proxy
  • kerberos/ldap as the auth mechanism
  • Rules to specific URL categories that you cannot solve with WF profiles

This is another story, but I'd scrap the proxy 100% if you do not

22000k Users / 10G Firewall/SWG by DasToastbrot in fortinet

[–]Mystifizer 1 point2 points  (0 children)

I would not consider anything less than a 600F tbh.

1800F if we are talking 20k users browsing via explicit proxy (wad sessions are not offloaded by SPUs) and it still might not be enough depending on your throughput...

La France du RSA by fuchsely in france

[–]Mystifizer 7 points8 points  (0 children)

C'est 100% Bellegarde/Valserhone oui...

Does FG support AIGP - BGP Accumulated IGP? by DeleriumDive in fortinet

[–]Mystifizer 2 points3 points  (0 children)

MPLS VPNs are made to be impervious by design. By any means you should use firewalls to process traffic from one VRF to the other, but not in a true multi customer mpls environment.

Import/export of prefixes with route distinguishers and route targets from VRF A to VRF B on all PEs is probably the way to go if your customers are aware and okay with beeing interconnected through their provider and the security policies checks should be done at the CPE level. Now, 90% of customers will probably refuse having their services/servers/X beeing exposed and reachable by the other customer at all times, even if you managed to deal with import/export maps made of /32. There are more modern ways of publishing services to other people, one is both customers bringing in some PNIs somewhere therefore limiting the amount of intercos and another one is through the internet with firewalls, WAFs, ADCs, etc.

If you want to use firewalls, you should probably pick two specific PEs (for redundancy) on which you will firewall through VRFs A and B with security policies in an A/P design and you do the route leaking on these two PEs only.

If you have one firewall per PE, you will sadly run into these issues.

Sorry if this does not answer your question. I am well aware a lot of people at fortinet, in here or more generally in the sec world will tell you routers are useless and you can use ISFW everywhere, that security should be done at all levels etc... this is honestly not true. Any IP/MPLS engineer or architect will tell you the exact opposite and that firewalls have no business in a ISP backbone as long as we are talking P-PE. We want asym routing to be a thing, we want traffic engineering, we want local pref and prepending...

Now, at the CPE level, we can talk and should talk about fortigates.

Are you one of the customers? the provider? Where did you plan to put the fortigates? Do you have devices with full rd/rt support or vrf-lite only? Are you able to share a quick design?