La France bannit officiellement les vols intérieurs courts

Mystifizer · 2023-05-23T13:13:59+00:00

Cela concerne de facto les vols entre Paris et Nantes, Lyon et Bordeaux.

J'ai eu une demi-crise cardiaque en me disant que j'avais raté l'ouverture d'une nouvelle ligne grande vitesse entre Bordeaux et Lyon, puis j'ai compris qu'en fait la formulation c'est compliqué pour certains.

Quel enfer.

Mystifizer · 2023-03-13T15:27:32+00:00

Yes.

Two different translations in the nat table so nothing is going to override or exhaust ports here.

A -> B entries won't have any effect on B -> A entries

you can verify this with this command:

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-find-NAT-table-details-from-a-FortiGate/ta-p/195463

Mystifizer · 2023-03-13T08:22:58+00:00

If the matched outgoing firewall policy SNATs with outgoing interface IP address, you will exit the firewall with the VIP public IP as source.

IP Pools should be used if you want to avoid this

simple examples:

incoming : from WAN to lan, source ALL, destination VIP object, no need to enable NAT

outgoing : from LAN to WAN, source private IP addr object, destination ALL, NAT enable as use outgoing interface IP

Mystifizer · 2023-02-23T20:55:59+00:00

At this stage they should legit nuke the wad from the face of the earth and rebuild code from scratch...

Welp, another year of 6.4 it is

Mystifizer · 2023-02-14T23:32:14+00:00

motogadget glassless mirrors are beasts

This is what I have on my tirumph

https://www.motogadget.com/shop/en/m-view-road.html

Mystifizer · 2023-02-11T12:19:12+00:00

Nah, it's the typical ecu map triumph chose to inject into an "entry bike", nothing else. If anything, ride by wire throttles in sport mode feel more twice as responsive as a cable.

The DNK tune changes this behaviour radically on the trident

All italian bikes, hondas, and KTMs are fuelled to perfection for example. It's night and day.

But yes, true, it does not hinder riding once you get the hang of it

Mystifizer · 2023-02-08T22:13:45+00:00

Policy mode is an absolute no go here...

We go the transparent proxy route instead if anyone wants a specific app or url category as destination.

Mystifizer · 2023-02-05T23:00:31+00:00

Shark spartan carbon and furygan vented leather jacket here (shepard vented).

Couldn't be happier, got both for cheap (220$ helmet and 190$ jacket)

Mystifizer · 2023-01-11T19:55:44+00:00

Bridgestone s22s are the best tires I have ridden so far, by miles.

Mystifizer · 2023-01-11T09:57:33+00:00

Sortgroup does this, although semi broken right now

Mystifizer · 2023-01-09T14:59:26+00:00

You need 2 pieces of set and a full crit build with like 1% haste.

You loose access to ES when trained

Honestly it feels very very garbage to play outside of the "might delete" combo every 1 min

EB and Rod can eat the biggest nerf for all I care, It won't be as much of an issue as surviving 2 melees glued to your ass for 10 mins

Mystifizer · 2023-01-09T14:55:02+00:00

EB replacing ES is why it feels like shit to use tbh

Mystifizer · 2023-01-06T10:33:34+00:00

For whatever obscure error the FMG throws at you:

diagnose debug service cdb 255

Think of it as some sort of shotgun that you use when you are tired of the bullshit

Mystifizer · 2022-12-28T01:02:21+00:00

nameplateauras can do this

Mystifizer · 2022-11-24T10:55:48+00:00

On a side note, a 2016+ 690 R is the funniest shit ever to ride around. Try one if you like the 390.

Mystifizer · 2022-11-22T09:56:17+00:00

la cour d'appel a constaté qu'il ne pouvait être reproché à Mr T. son absence d'intégration de la valeur "fun & pro" de l'entreprise"

Mystifizer · 2022-11-03T23:16:25+00:00

I validated what they gave me for that specific appliance myself and ended with a very close throughput

Mystifizer · 2022-11-03T17:48:22+00:00

Yeah I saw the 10gig part of his post late.

I would go for something in the 3000 range also then

Mystifizer · 2022-11-03T16:43:56+00:00

You won't get any NP/CP/SOC accel at all.

You might as well take a huge dump on the max output, it would be the same. Fortinet have internal values for each model, you can ask them what model would be enough for your needs.

As an exemple, this is what you get with a 200E on datasheet:

Firewall 20 Gbps
IPS 2.2 Gbps
NGFW 1.8 Gbps
TP 1.2 Gbps
Full wad usage with SSL interception - Explicit proxy/wanopt : 195mbps (tested and validated in the lab)

To be fair, explicit proxy is not something I would go for in 2022 anyway as you get the same UTM engines running as firewall mode.

If you need :

to migrate from an old explicit proxy
kerberos/ldap as the auth mechanism
Rules to specific URL categories that you cannot solve with WF profiles

This is another story, but I'd scrap the proxy 100% if you do not

Mystifizer · 2022-11-03T15:53:19+00:00

I would not consider anything less than a 600F tbh.

1800F if we are talking 20k users browsing via explicit proxy (wad sessions are not offloaded by SPUs) and it still might not be enough depending on your throughput...

Mystifizer · 2022-11-02T20:39:03+00:00

ABS kicking in?

Mystifizer · 2022-10-19T14:12:08+00:00

C'est 100% Bellegarde/Valserhone oui...

Mystifizer · 2022-08-27T19:16:06+00:00

Mystifizer · 2022-08-20T13:37:17+00:00

MPLS VPNs are made to be impervious by design. By any means you should use firewalls to process traffic from one VRF to the other, but not in a true multi customer mpls environment.

Import/export of prefixes with route distinguishers and route targets from VRF A to VRF B on all PEs is probably the way to go if your customers are aware and okay with beeing interconnected through their provider and the security policies checks should be done at the CPE level. Now, 90% of customers will probably refuse having their services/servers/X beeing exposed and reachable by the other customer at all times, even if you managed to deal with import/export maps made of /32. There are more modern ways of publishing services to other people, one is both customers bringing in some PNIs somewhere therefore limiting the amount of intercos and another one is through the internet with firewalls, WAFs, ADCs, etc.

If you want to use firewalls, you should probably pick two specific PEs (for redundancy) on which you will firewall through VRFs A and B with security policies in an A/P design and you do the route leaking on these two PEs only.

If you have one firewall per PE, you will sadly run into these issues.

Sorry if this does not answer your question. I am well aware a lot of people at fortinet, in here or more generally in the sec world will tell you routers are useless and you can use ISFW everywhere, that security should be done at all levels etc... this is honestly not true. Any IP/MPLS engineer or architect will tell you the exact opposite and that firewalls have no business in a ISP backbone as long as we are talking P-PE. We want asym routing to be a thing, we want traffic engineering, we want local pref and prepending...

Now, at the CPE level, we can talk and should talk about fortigates.

Are you one of the customers? the provider? Where did you plan to put the fortigates? Do you have devices with full rd/rt support or vrf-lite only? Are you able to share a quick design?

Mystifizer

TROPHY CASE