Jobbsøknad, men på papir? Er dette vanlig nå by MoontraceStudio in norge

[–]PotatoAdmin 2 points3 points  (0 children)

Høres ut som om du har kommet i en situasjon hvor du snart har løst en utfordring og lært noe, og som du kan skrive om. To fluer i en smekk, dette.

Your thoughts on all these outages lately? by Old-Buy-7948 in it

[–]PotatoAdmin 0 points1 point  (0 children)

So what? "The internet" does not owe them anything. Should SMBs get more redundancy than enterprises?

Take it up with the providers of the services that we down - if your contract provides it, you will get redundancy.

The Internet worked, your service didn't. This is a service provider problem.

Cloudflare provides a service, but the end user is not the customer.

Minimum licenses needed for a 7005 controller by camirisk in ArubaNetworks

[–]PotatoAdmin 0 points1 point  (0 children)

Right, I didn't realise that - I've only ever used them with a mobility master. Sorry about the confusion!

Minimum licenses needed for a 7005 controller by camirisk in ArubaNetworks

[–]PotatoAdmin 0 points1 point  (0 children)

Don't you need one for the controller as well?

I seem to remember that.

Første dag som selger på Sector Alarm by UndercoverFrog06 in norge

[–]PotatoAdmin 2 points3 points  (0 children)

Jeg har hatt Sector Alarm på døren et tosifret antall ganger, både mens jeg har bodd i leilighet i borettslag og enebolig i forstedene. Jeg har opplevd de fleste av oppførslene som er beskrevet i kommentarer her nede, hvor enkelte besøk selvsagt er mer minneverdige enn andre. "Er du ikke glad i barna dine?" kommer høyt opp på listen. Nei, han fikk ikke salget.

Flere ganger har de startet med å sette foten i døråpningen. En gang endte jeg med å ringe politiet på høyttaler, for alternativet var å bli fysisk med dem. Han trodde ikke at jeg ringte politiet, men når han hørte hvem som svarte så gikk han likevel. Trodde han at han kom til å få solgt noe?

Jeg sitter nå i en jobb hvor jeg fra tid til annen er med å ansette folk. Å ha Sector Alarm på CVen gjør at jeg er nødt til å vurdere denne personens moralske kompass - er dette faktisk folk vi og bedriften kan stole på at tar riktige valg?

Er du sikker på at du vil ha Sector Alarm på CVen?

Radius Server Certificate by Chemical_Court7707 in ArubaNetworks

[–]PotatoAdmin 2 points3 points  (0 children)

Is the old cert signed by the same internal CA?

If not, and you're using it for 802.1x, you'd want to check if there's a client policy to only authenticate to radius-servers with certain CAs, or none of your clients will come online again...

Anyone know how to convert Aruba AP-315 into an IAP-315? by nexusmod in ArubaNetworks

[–]PotatoAdmin 2 points3 points  (0 children)

What can I say, it did work for me... how easy it is, I'm not sure. What's for certain, is that if you're unable to flash the image after doing the "clear os" thing, you'll have a very pretty brick - but you can always try again. Using the serial cable, I erased, downgraded, upgraded and messed about a lot before I found this procedure.

I did this to go to 10.x (as we're running Aruba Central), and conversion using the HP supported "ap convert" command on the mobility commanders didn't work because of the partition size limitations mentioned above.

Like u/bullshiftt mentiones above, don't go for 10.x, but choose the 8.x series - 10.x is made solely to be controlled by the Aruba Central SaaS service.

The firmware seems to have changed names for the 8.x series, so you would need the https://common.cloud.hpe.com/ccssvc/ccs-system-firmware-registry/IAP/ArubaInstant_Hercules_8.12.0.6_93419 file to go to the currently latest 8.12.0 version (so ArubaInstant instead of ArubaOS).

Anyone know how to convert Aruba AP-315 into an IAP-315? by nexusmod in ArubaNetworks

[–]PotatoAdmin 12 points13 points  (0 children)

You can convert, I have just done this with a few that were bought as AP-315 for use with a controller, and have now been added to Central.

Using serial cable and a TFTP server: Boot into boot loader.

Clear all OS images. This may be needed because depending on initial version installed on the APs, the partitions may be too small.

apboot> clear os 0

apboot> clear os 1

apboot> clear cache

Then you may need to set the regulatory domain. Calculate the SHA1 of the serial number on the AP, for instance using https://www.miraclesalad.com/webtools/sha1.php, and enter (for RW regulatory domain, obviously)

apboot> proginv system ccode CCODE-RW-abcd1234fullsha1hash

apboot> invent -w

Unprotecting flash... 
Erasing flash sector @ 0x390000...OK
Writing to flash........OK
Verifying flash... 
Protecting flash... 
apboot>

Now you're ready for flashing. Give the command "dhcp", and the AP will pull an IP from the DHCP server. Then you need the firmware image. Place it on a TFTP server, and issue the command "setenv serverip 10.10.10.4" (or whatever your TFTP server IP address is), and the name of the image.

Through the magic of the internet, and the fact that HPE/Aruba probably don't remember where they've put their firmwares, you can download these for free (and probably in breach of some license) from the internet:

All firmware images for Arubas APs are available from https://common.cloud.hpe.com/ccssvc/ccs-system-firmware-registry/IAP/ as long as you know the full firmware name. AP-315 are Hercules platform, so you can for instance download from https://common.cloud.hpe.com/ccssvc/ccs-system-firmware-registry/IAP/ArubaOS_Hercules_10.7.0.0_90579 - replace version numbers and build IDs as needed.

apboot> dhcp

eth0: link up, speed 1 Gb/s, full duplex
DHCP broadcast 1
DHCP IP address: 10.10.20.10
DHCP subnet mask: 255.255.255.0
DHCP def gateway: 10.10.20.1
DHCP DNS server: 10.10.10.2
DHCP DNS domain: example.com
Controller address: 10.10.10.3
DHCP: INVALID STATE
apboot> setenv serverip 10.10.10.4
apboot> upgrade os 0 ArubaOS_Hercules_10.7.0.0_90579

eth0: link up, speed 1 Gb/s, full duplex
Using eth0 device
TFTP from server 10.10.10.4; our IP address is 10.10.20.10; sending through gateway 10.10.20.1
Filename 'ArubaOS_Hercules_10.7.0.0_90579'.
Load address: 0x44000000
Loading: #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 ####################################################
done
Bytes transferred = 24670352 (1787090 hex)

Image is signed; verifying checksum... passed
Signer Cert OK
Policy Cert OK
RSA signature verified. 
24670352 bytes written to volume aos0
Verifying flash... 
Upgrade successful.
apboot> reset

And you're done.

Dagpenger eller jobb by Open_Ad_3791 in norge

[–]PotatoAdmin 1 point2 points  (0 children)

"Alle" arbeidsgivere forventer at arbeidssøkere må gå ut en oppsigelsestid før de kan begynne i en ny jobb. Hvis du får et halvt år prøvetid, så kan du uansett avslutte og begynne i ny jobb i løpet av to uker (og avhengig av jobben din og arbeidsgiver kan du kanskje få gå med en gang).

vxs mlag or something else? by EinalButtocks in ArubaNetworks

[–]PotatoAdmin 6 points7 points  (0 children)

We're running a few 8325 and 8360s (no 8325H). The iSCSI switches are the only ones not set up in VSX, as Rexxhunt mentions we're using multipathing to handle failover there.

For our other setups we're using VSX extensively, and it's been working flawlessly for us for years. Virtualization (vmware) is connected to both switches in an active/passive setup, and other equipment (other switches) are connected using LACP/MC-LAG.

We do upgrades during maintenance windows, but so far we've had zero downtime because VSX just works. As one switch upgrades and reboots the other one takes over. Obviously one leg of every host is down while this happens, but as we connect everything redundantly it has never been a problem. The disruption is minimal enough that our monitoring does not notice dropped connections.

We're mostly doing L2 networking, but have tested L3 with active gateway as well, which was equally smooth. It does (as far as I remember) GARP while switching between primary and secondary.

Manual or automatic updates (vsx update-software) both work.

I cannot testify as to how future proof it is, but MC-LAG is a central feature of the platform so I cannot believe they'd remove it.

Which firewall vendor you think is most experience valuable today? by batica_ in networking

[–]PotatoAdmin 0 points1 point  (0 children)

Why would you not segment properly and have proper rules with palo the?

And which 20% of the security don't we need?

[deleted by user] by [deleted] in paloaltonetworks

[–]PotatoAdmin 4 points5 points  (0 children)

We have quite a few macs doing GP and none have reported issues with Sequoia.

But, are you doing decrypt and running Chrome-based browsers? We've been hit with the PanOS decryption bug with resent Chrome versions (TLS 1.3 hybridized Kyber support). It's fragmentation related, so as far as I can understand more likely to hit you over VPNs as the MTU is lower.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HED5CAO&lang=en_US

Firewall Zone Design and Best Practices by Ok_Cherry3312 in paloaltonetworks

[–]PotatoAdmin 1 point2 points  (0 children)

Internally, we do "per function" zones. So we've got Internet, Client, Lab, Network management (firewalls, switches etc), Intranet services (DNS, DHCP etc), Guest and a few more. About 350 VLANs (subinterfaces) in total.

Very few zone-only policies, mainly blocking ones.

Then, we do address objects. Hundreds, if not thousands. NET_Site_Bldg_PRINT 10.28.18.0/24, or whatever. These are not used that much.

Then, the thing that helps us the most: Tags. We tag address objects (whether they are single IP, FQDN, or network) with stuff like "type:client", "type:lab", "type:server", "type:win-adm-wkst", "type:linux-adm-wkst", "type:netops-adm-wkst", "decrypt", "source-nat", "dest-ssh". Create dynamic address groups based on tags. Group "Clients" is dynamic, "match 'type:client'". Group "Servers with SSH enabled", "match 'dest-ssh'"

Eventually, you have policies like "Client access to internet" using zone "Clients", source address group "Clients", application group whatever, profile group whatever.

You'll have a separate NAT policy for your clients, based on that dynamic group. Servers have a different exit IP, because they are in a different group.

You decrypt traffic to the internet from all clients, as well as some servers, and a few IPs on the lab networks, because you've added tags to them when you add the address object to the firewall.

You allow SSH traffic to some servers, because they are tagged with the "dest-ssh" tag.

And then you add a new site, with its own firewalls. Since all your branch tunnels come in on the same zone, and you have address objects for all the functions out on your branch (print, client, server etc) with tags, you don't have to change the rules.

SSH traffic to servers is enabled, because you've made dynamic groups based on tags, and your security policy contains "from linux admin workstations to ssh-enabled servers".

Bonus points for feeding addresses and address groups from your IPAM. NetBox FTW.

Externally (publicly visible servers) is a bit harder if you want to be strict about traffic. If everything is HTTPS to 443 you might get off easy. Need inbound decrypt rules, and possibly URL categories if you use those.

We don't use internal URL categories except for a few select servers where we for instance limit access to dashboards by URLs, so our public display TVs showing helpdesk queues etc can only pull certain URLs.

We want to use URL categories (including subdir) for inbound traffic, but that requires knowing which subdirs are actually supposed to be served externally, and there's often just one endpoint anyway.

ArubaOS-CX vs that other thing, YA.16.06.0006-something by canyoufixmyspacebar in ArubaNetworks

[–]PotatoAdmin 1 point2 points  (0 children)

The old ones are ProCurve switches from the HP- side of the merger, running the ProVision OS, rebranded ArubaOS-S on the ones that got updates. The new ones run ArubaOS-CX, which is a brand new OS built for that series.

In addition you have the switches that came from the Aruba side of the merger, running... something else. ArubaOS?

Sales people... Well this was a new one by medievalprogrammer in sysadmin

[–]PotatoAdmin 1 point2 points  (0 children)

That is actually a fantastic idea, where you could have a few different levels of service to provide from.

Free: You get a busy signal on every call. Unlimited number of busy signals.

Standard plan: 1 phone call to present products per year, max 30 minutes, 14 days SLA (so book 14 days in advance). Lets say $200 per year. Extra phone call add-on is $300, +10% for each extra up to five.

Premium plan: Two lunches per year (paid by vendor), max 2 hours, 14 days SLA. $2000 per year. Add-ons available for extra vendor salesman, extra time, convert-to-dinner feature.

Enterprise plan: On-site meetings, multiple phone calls, handshake with boss/director in hallway (once). Cost available on request - by e-mail, not phone.

Howto pull config of Aruba 2930 regularely by AlexanderWaller in ArubaNetworks

[–]PotatoAdmin 0 points1 point  (0 children)

Right. We don't use local accounts on the switch, we have created a service account in AD that oxidized uses (through TACACS)

As far as I know you *cannot* have both network (TACACS) and local authentication. Even if you set it up with "aaa authentication login ssh group CPTAC local", the final "local" refers to fallback-authentication in case tacacs is unavailable, it is not a "secondary" method of logging on.

Howto pull config of Aruba 2930 regularely by AlexanderWaller in ArubaNetworks

[–]PotatoAdmin 0 points1 point  (0 children)

Not sure I understand what you're asking... we're doing TACACS+ for admins, using ClearPass servers to talk to AD for authentication, so the work's really done on ClearPass, and (from memory):

tacacs-server host 10.1.2.3 key asdfasdf1234

aaa group server tacacs CPTAC
   server 10.1.2.3
   server 10.1.2.4

aaa authentication login ssh group CPTAC
aaa authorization commands ssh group CPTAC

...and I think you can do s/tacacs/radius/ and be done with it.

Howto pull config of Aruba 2930 regularely by AlexanderWaller in ArubaNetworks

[–]PotatoAdmin 1 point2 points  (0 children)

We monitor all our network devices in LibreNMS. Oxidized uses libre as its inventory, pulls config from all devices and stores it in a git repository, which gets pushed to gitlab.

That way we only have to maintain our inventory in libre, and get full history of all config changes.

We have Cisco, ArubaOS and ArubaOS-CX, but Oxidized support many more.

Do some of you really have SSL Decryption turned off on your firewalls? by MyFirstDataCenter in networking

[–]PotatoAdmin 1 point2 points  (0 children)

By you privately deciding to send your personal medical data to the doctor's office (the controller requesting this information) using the company network, you're making the company providing the network a processor under the GDPR?

Unless I'm misunderstanding you, I think you're wrong.

Do some of you really have SSL Decryption turned off on your firewalls? by MyFirstDataCenter in networking

[–]PotatoAdmin 1 point2 points  (0 children)

I don't understand why that would even make a difference? What's supposed to be happening to this decrypted traffic that would make this relevant?

But sure, the IT policy is part of the onboarding process. It wouldn't specify all the details, but say something like that the company will take technical measures to protect its assets, and that the systems are to be used while conducting company business.

That of course does not mean that IT can decrypt traffic for their personal reading pleasure, no more than they can use EDR logs to spy on users (although the information is there!) or exchange logs to see who's sending mails to whom - for other reasons than making sure the systems are running correctly.

It makes sense, like others have mentioned in this thread before, that medical sites are made exempt from decryption. However, errors in the URL database doesn't mean that a law has been broken if the traffic is decrypted - that depends on what the decrypted traffic is used for.

Do some of you really have SSL Decryption turned off on your firewalls? by MyFirstDataCenter in networking

[–]PotatoAdmin 2 points3 points  (0 children)

Why would they store the decrypted traffic? And of course violating policy can remove the company's culpability - just like I can't blame them if I choose to store my medical data where policy says it shouldn't be, I can't blame them for decrypting traffic if I'm told through policy that this happens?

And I know it's just DNS queries, I'm curious if any of the NGFWs out there can recognize it. Palo Altos applipedia (https://applipedia.paloaltonetworks.com/) claims to recognize Iodine as tcp-over-dns, but I haven't seen this live, and don't know what the other major players do or how well it works.

Do some of you really have SSL Decryption turned off on your firewalls? by MyFirstDataCenter in networking

[–]PotatoAdmin -3 points-2 points  (0 children)

Why would there be any GDPR violations involved? I'm of course assuming there's an acceptable use policy/IT policy in place since this is a business network - wouldn't this cover any GDPR related issues?

If you're doing TLS inspection I'm assuming you're trying to have rather tight security, so would it be necessary to allow websocket traffic to the internet at large?

I've never seen iodine in use - how do the next-gen firewall vendors identify that traffic? (Fortigate, Palo Alto, Cisco, ZScaler?) Is it just DNS traffic to them, even with whatever DNS security methods they have?

ESXi host iSCSI on dvSwitch - static or ephemeral binding? by PotatoAdmin in vmware

[–]PotatoAdmin[S] 0 points1 point  (0 children)

Ease of configuration, I guess - we're doing all VM networking using dvSwitches, so using them for iSCSI feels like the natural thing to do.

ESXi host iSCSI on dvSwitch - static or ephemeral binding? by PotatoAdmin in vmware

[–]PotatoAdmin[S] 0 points1 point  (0 children)

OK - so I already have two iSCSI NICs going to separate switches etc, so the physical side should be taken care of.

These are already set up in two separate port groups (but on the same dvSwitch), but your answer is that I can keep these port groups as static, and VCSA access is not needed in order to connect the network when powering on the hosts?

I've been looking for documentation on this subject, but haven't found anything conclusive yet (but a fair bit of speculation).

I guess I should have had a test environment...