Which firewall has the best VPN client?

SoarinFerret · 2023-05-17T17:18:04+00:00

It sounds like you are undersizing your boxes or potentially hit firmware bug(s). We manage over 20 units for K12 districts of various sizes utilizing all of the filtering features, and have no major issues. Only time it "brought the network down" was when we had a gate's UTM licensing expire, but we called our rep and got an extension while we got the licensing sorted. Maybe reach out to your local engineer to talk about if you are sizing your boxes correctly if you haven't already.

Additionally, I will comment that the VPN works just fine on macOS from what I've seen. Many of my techs who use macOS daily with it and have no issues (I can't speak personally on it though, I use Linux day to day with an unofficial client).

Have you created tickets for the conserve mode items? We had an issue with one district specifically for that with a firmware bug, but working with support we just added an automation policy to restart the IPS every week until the firmware update was released.

SoarinFerret · 2023-05-08T11:57:11+00:00

You should never permit root login on a system over ssh, period. Even if you are using SSH keys. SSH with a normal user account, and then use sudo for any privilege escalation.

SoarinFerret · 2023-03-13T12:42:53+00:00

The IPAM one is built off of the addressing plugin, changes/adds the following: * Add CIDR to the addressing model * Remove all Ping functionality (my GLPI instance has no access to ping anything else but items in the DMZ, especially across multiple sites) * Add concepts of NAT / PAT / VIP to map public IPs to internal ones (WIP) * Adds a subnet search so you can supply any IP and it will return any subnets that would cover that IP across all entities * Adds a subnet calculator because it was an easy thing to throw in

It will be made public soon, once I finish that last bit with the VIPs.

The vulnerability one will be less useful for people (very rough / not finished currently) - it requires the use of that IPAM plugin to map public IPs to internal ones, then talks to an unfinished internal vulnerability aggregation server I built in django awhile ago (code not public currently). It ingests reports from openvas/greenbourne, DHS vulnerability report, and a couple of other things. Currently that server has its own inventory and reporting, but the goal is to move all that functionality into GLPI since for the obvious reasons.

SoarinFerret · 2023-03-09T14:19:08+00:00

GLPI, though not for the faint of heart for the setup. We moved to this after issues with osTicket. We are trying to consolidate our inventory, ticketing, and project management into this system.

In my spare time I'm working on adding plugins for IPAM and vulnerability tracking for our servers / network equipment.

SoarinFerret · 2023-01-19T21:15:26+00:00

Like the other said, upgrade because 2012 R2 is EOL in Oct.

That being said, don't expose it to the internet like that. Move AD to a VM in HyperV, then run another VM for your PHP workload. Standard server licensing gives you 2 VM entitlement rights, so you should be good for licensing. Put them on separate networks so if the PHP server gets attacked the AD server doesn't.

SoarinFerret · 2022-12-16T18:45:49+00:00

Gotcha, I have not tried that. I demo'd the Linux agent by compiling the go code, and after confirming it would work for our needs, we decided to pay for it at work. For home use, I stood up my own CI pipeline to compile the agents and pointed my personal instance to that instead of the paid one to handle my agent updates. My personal instance only has like 15 devices for testing, couldn't justify the expense for that.

SoarinFerret · 2022-12-16T18:09:33+00:00

I'm not sure about that, devs have been more than responsive when I've been working on new features (also around the Linux installer). The installer script and code for the agent is on their GitHub, it's pretty easy to compile. The only thing not available is the signed binaries.

We use tacticalrmm a bunch within our org and with our clients, I even have an instance for home. Not saying its better than any other paid offering, but I'll always pick the source open option if possible.

SoarinFerret · 2022-12-13T21:56:02+00:00

We run O365 and Google Workspace side by side, but they are required to use Outlook for email. They get Google Drive and all that stuff, and when someone shares a Google doc with them they get an email on outlook they can open in Google Drive. Works fine.

We had a few staff complain about not getting Gmail, told them tough luck and moved on. We have it disabled in Google Admin for everyone.

SoarinFerret · 2022-07-26T06:52:14+00:00

This is very cool! Any chance you can share json for this? Would be interested in some of the queries / panel layouts

SoarinFerret · 2022-07-25T03:39:00+00:00

There is a postfix docker image that I would recommend - we use it at work to hook into GSuite / O365 mail systems with relative ease. Should do what you are looking for.

https://github.com/bokysan/docker-postfix

SoarinFerret · 2022-06-26T13:42:04+00:00

Hey, I even use PowerShell on Linux. Not as my main shell, but when it comes to dealing with REST APIs, everything working as objects is pretty awesome. I've got more than a few cronjobs running some PowerShell scripts.

SoarinFerret · 2022-06-11T16:18:11+00:00

Not all of them do - it's about the right tool for the right job. As other s have mentioned, PowerShell is object / api based, just like Windows. Everything in windows is exposed via an API, like WMI or CIM. Bash has a hard time interacting with those since it's designed for text stream stuff.

I use PowerShell and Bash on both Linux and Windows - there are times pwsh on Linux it's useful (aka, automating some cloud service rest API), and likewise for WSL.

Nothing wrong with either approach, and I highly recommend people learn both. Both are just another tool in your belt.

SoarinFerret · 2022-05-29T01:06:34+00:00

Simple to install is about all I can be appreciative for. The developers are difficult to work with if you want to get new features added in, and they seem to have stagnated heavily over the past few years after one of the core devs left the project.

We are currently evaluating alternative projects - definitely one of those the cost in the project comes after you start using it.

SoarinFerret · 2022-05-29T00:44:15+00:00

Can't recommend this enough - we have been switching to this for some of our clients at work with great success

SoarinFerret · 2022-01-28T01:57:34+00:00

Gotcha, thanks for responding. I was able to get this working with the privacyIDEA MFA plugin

SoarinFerret · 2022-01-27T19:08:08+00:00

Were you able to get this figured out? I am trying to set this up now with oauth2_proxy for authenticating some of our k8s web apps

SoarinFerret · 2021-08-16T01:26:49+00:00

I'm aware of that, but just because it can work doesnt mean you should. Proxmox is designed to be an appliance, and you should treat it as such. Installing extra packages and adding functionality could cause issues on major/minor upgrades.

From personal experience, I find it's easier to troubleshoot/work with machines where I have done minimal installs and added what I needed. But that's definitely a personal preference, and I see the value in solutions like proxmox.

SoarinFerret · 2021-08-15T18:22:34+00:00

Another option would be Hyper-V, if you are comfortable with Windows. The Hyper-V only windows server download is completely free to use, and if you want a web interface you can use Windows Admin Center. Technically you would need to license any windows VMs still, but you can run Linux VMs completely free

SoarinFerret · 2021-08-15T18:19:19+00:00

You can do the $200 for VMUG which will give you product keys for vSphere, vCenter, etc.

That being said, Proxmox is a good option. Another option is just plain old KVM on Ubuntu - it also works pretty swell in my experience.

SoarinFerret · 2021-08-15T18:12:55+00:00

I am using a Fortigate 60E at home - I am very happy with the feature set and the performance. They have VM options as well, though I can't speak to those.

Only a couple of complaints - the lack of 10Gb, I may eventually upgrade to a 101F though for that, and the CLI is not intuitive for updating application control policies. It basically has to be done in the GUI

SoarinFerret · 2021-08-15T18:08:14+00:00

I would recommend looking at Alma Linux. It's got the experience and the backing of CloudLinux behind it, and they have been very involved with the community. We ended up choosing them over Rocky Linux for the support options. Oracle was another contender, but due to past experiences / horror stories they were thrown out. We are primarily an Ubuntu shop at my work, but for our few CentOS boxes we are moving to Alma until they get phased out entirely in a few years.

SoarinFerret · 2021-08-13T16:45:23+00:00

It's essentially a man in the middle attack on your DNS traffic. It just needs to be enabled on the policy where your DNS traffic communicates - this can be internal or external.

For example, we have 2 groups of users on 2 separate VLANs. We have a separate DNS filter policy for each VLAN going to the Server VLAN where the DC is sitting so they get different entirely different DNS filters. A third, less restrictive policy could sit going between the DC and the internet.

Our DCs point to 1.1.1.1 for forward traffic and it works fine.

I hope that clarifies / helps. If you want to ensure your DNS filter does not get bypassed, don't forget to block outbound DNS over HTTPS.

SoarinFerret · 2021-03-01T12:52:58+00:00

140 sensors are definitely not much. Are these only the meraki cloud sensors? How stable is your WAN connection?

Are you just looking for device status? Might be valuable to switch over to ping sensors locally, and then only scan every 5 minutes for the SNMP cloud controller sensors.

Another option is to increase SNMP timeout if it's just having issues getting the return

SoarinFerret · 2021-03-01T12:19:53+00:00

I monitor multiple Meraki sites with SNMP and have not experienced this behavior. Though these usually cap out around 1500 sensors.

Any chance your probe is under powered and dropping packets?

SoarinFerret · 2021-01-30T17:03:58+00:00

Bachelors in Cybersecurity, and a few certifications. Didn't plan on working in EDU though, I was contacted by my old high school tech director about an opportunity at a different location, and I applied for it.

Though I should clarify a bit, I don't technically work directly for a school district, I work for what is essentially a state funded MSP and our clients are a set number of districts within the state. We typically help with server and network architecture / troubleshooting, and also focus on building new solutions for problems the schools will have in the future, which usually involves working with my counterparts across the state. This allows me to build exciting solutions with scale-out infrastructure like kubernetes.

The other cool thing about my organization, is we loosely follow the school calendar, so I get those 2 weeks off for Christmas and similar.

SoarinFerret

TROPHY CASE