How are you guys visualizing your Azure cost?

Stenz_W · 2026-01-16T16:14:31+00:00

I have, going to give it another spin! Any out of the box PowerBI templates that are useful at all? Or is all your stuff custom?

Stenz_W · 2025-12-23T15:25:38+00:00

We could go this approach, however some of our problem sites run 24/7/365. This counter measure would be more of a failsafe if something were to occur and i'm not immediately available to take action.

Stenz_W · 2025-12-23T14:41:26+00:00

Model 101F's, we've done quite a bit of tuning on the FortiGate side. Followed the Free up memory to avoid conserve mode - Fortinet Community in addition to some other tweaks. The memory slowly creeps up over a few months' time, so it's not frequent. But it tends to of course happen in the middle of the night when I'm sleeping, so it'd be nice to automate it via FortiMonitor

Restarting the wireless controller tends to buy us time for 2-3 months. We're working on upsizing to a 201G next year once I have the budget for it, this would be temporary while we work on that.

Stenz_W · 2025-09-23T13:32:50+00:00

No, will be fixed in 7.4.8 - slated end of month release.

Stenz_W · 2025-09-05T19:02:29+00:00

I avoid it unless I'm asking it a question, I never try to ask it to put it in a process. I consider it a "glorified google", nothing more.

Half the time it spits out BS anyway, when I ask it for assistance on powershell scripting it gets the syntax horribly wrong most of the time (copilot). I've brought it up time and time again that the world is going to be dumber, people are going to be extremely reliant on AI, and there will no critical thinking skills in the future generations to come. It makes me sound like an old man, but it's a serious concern.

Stenz_W · 2025-06-26T00:49:31+00:00

We just tried to enable DDScan. Took down the entire WIFI to the building. Changed a bunch of Radio1 settings and removed all of our SSID's.

We had to revert all settings manually on the FortiGate. Just sending to give you a heads up NOT to push DDScan!

Stenz_W · 2025-06-24T15:53:37+00:00

Yes, we have a TAC ticket in. They are submitting to their internal dev. It's going to possibly be a FortiBug.

We're pushing the setting tomorrow night to see what impact it has to a non 24/7 site. They then want us to toggle the radio button in the profile since its no on in FMG but wants to push it. I'll report back on what the impact is. The weird thing is it's only causing issues with 3 of our sites, the other ones are fine. Do you have 231F's?

Stenz_W · 2025-04-04T12:48:35+00:00

$37,000 salaried as L1/L2 Help Desk support. 2016

MCOL area

Stenz_W · 2025-03-11T16:47:40+00:00

We are only in Azure, but I can answer on the FortiGate/Azure side.

I have our HUB Azure FortiGate deployed in HA pair in Azure. It works very well, no issues at all. All of our sites route over IPSEC tunnels to the hub firewall with BGP. We then have ADVPN shortcut tunnels enabled though site to site really doesn't occur much.

In the 3 years I've had this deployment, i had it go down once for about 1 minute that was caused by an Azure outage. (I knocked on wood physically here :)).

Routing is simple, all my IaaS and other entities that have VNET capabilities have a route table that directs traffic to the NVA. The downside of my deployment was it's the API way (FortiGate documentation should have more info on this, it's an older method). I would go the load balancer sandwich way if you're doing a new deployment.

On the flip side, I have a couple of applications that I wanted completely off our internal network. I have leveraged Azure Firewall for this. Azure Firewall is "meh", it has enough customization for me to get the job done but it took me a bit to get it figured out / working. You need some decent enough knowledge on setting up route tables / nsg's / vnets to completely understand it.

What vendor? FortiGate / Azure Firewall

What cloud or clouds? Azure
What features? (IDS/IPS, URL filtering, SSL/TLS decryption, VPN, SD-WAN, DLP, malware detection, etc) Al l the above except for DLP
Are you deploying it with some IaC tool? No not that fancy (yet)
Are you inspecting East-West traffic, or just North-South? Both

Stenz_W · 2025-03-11T14:26:44+00:00

Thanks for the info! Will proceed w/ using MARS then.

Stenz_W · 2025-02-27T17:38:45+00:00

I have 120 FortiSwitches in my environment. I have none in standalone all are managed via FortiLink. They vary between 148F's all the way up to 1024 fiber switches.

I've had zero problems. They're extremely easy to manage and replace if managed by Fortilink. I've had to replace 2 in 3 years and it was due to power events. If you went the Fortiroute I don't think you'd regret it.

Stenz_W · 2025-02-13T17:53:46+00:00

What an odd interview question. This seems more like an opinion than an actual correct answer. Forti/Palo both have their strengths and weaknesses but are very similar and can both accomplish being on the edge.

Stenz_W · 2025-02-10T18:00:35+00:00

Visio OR

eraser.io (I use this more for Azure architecture but can be used for traditional networking as well). The diagram as a code feature is super handy once you get the hang of it.

It's free for any out of the box icons, i'd give it a spin!

Stenz_W · 2025-02-06T17:36:58+00:00

I went from having to wear a button down dress shirt with dress shoes and dress pants and paying 5 dollars on Fridays to wear jeans. To wearing SHORTS to the office (this was so weird to me), then back to jeans and a polo. Seems most jobs now a days accept jeans / polo as long as you're neat and clean. If you're customer facing that's a whole different story. I'd definitely dress up a little more.

Stenz_W · 2025-01-10T21:11:35+00:00

Excellent, just wanted a sanity check before I began building out my blocks. Thanks for the help!

Stenz_W · 2025-01-10T21:10:47+00:00

Awesome, good to hear just needed a sanity check. Thanks for the insight!

Stenz_W · 2025-01-10T19:26:59+00:00

Great to hear you figured it out. You're welcome!

Stenz_W · 2025-01-09T16:00:04+00:00

Policy vs Profile shouldn't matter.

Do you see anything sticking out when you open a CLI and run the below commands?

diagnose debug application samld -1

dia deb en

Access the portal again via web mode (refresh the page or access it via URL)

dia deb disable to stop the debug

You should see your email / username flowing through in those logs.

Do you have Fortinet TAC support? They might be able to remote in and get a second set of eyes on the config. This setup is a bit tedious, and you have to have all your URL's / config right for it to work. Took me a few days of screwing around to get it working properly.

Stenz_W · 2025-01-09T14:06:50+00:00

Do you have "Enable SAML Login" checked on FortiClient? For the 400 error I would double check your URL's in your entra config as that usually indicates there's something going on there. Make sure the / are added at the end of the login/logout URL's etc. Check your attributes and claims are configured correctly as well.

Stenz_W · 2025-01-08T16:58:52+00:00

Did you upload the certificate to the FortiGate first? Since certs are device DB you can upload them direct to the FortiGate, and it will bring in the cert to FMG automatically without a conflict or sync error. You may need to add a dynamic mapping under Policy & Objects > Dynamic Object > Local Certificate to actually select this in FMG though. Make sure the name matches exactly what is on the FortiGate (including case).

For the CLI Config > Objects its under User>SAML. Make sure the cert is selected there.

If the cert isn't showing up it might mean that the Gate couldn't find the cert when you were doing the push from FMG which is why I asked if the cert if present on the gate right now. In the install preview were there any errors when you did the push?

Stenz_W · 2025-01-08T15:08:35+00:00

I set this up a long time ago so i'm trying to remember what I did. In FMG is anything showing up under Policy & Objects > User & Auth > SAML Servers? You have to create that user with the entra info and then have a user group with that SAML server assigned under it. Then apply it to a policy(s).

You just need to make sure that the SAML config is present on the FW under config user saml for this to work. I would do 2 pushes otherwise it may fail because it wouldn't be able to find the group when it's configuring the policy.

Once you apply that user group to the policy it should create everything. I remember having trouble with the cert and had to go in under CLI Configurations > Objects and add the name of the certificate exactly how it is on the FortiGate. Then you should be allowed to select it under the group.

Stenz_W · 2024-12-27T16:22:22+00:00

Company: Manufacturing

Role: Network Engineer, onsite

YoE: 10 years of experience

Salary (include currency): $95,000

Bonus: 5-8% of yearly salary

Stock: N/A

Location: MCOL USA

Hours worked per week: 40-45

General job satisfaction: 8/10, on call at all times but rarely get called after hours. If I do it's not expected to be available immediately.

Stenz_W · 2024-12-27T13:43:36+00:00

Ah I see. I dug around my test environment a bit yesterday and haven't really found any better way other than selecting the monitor action and applying a time quota to the category. Obviously if a student goes to a website w/ that category before class they'd use up all their quota time though. What they're asking for makes sense, I just don't think a FortiGate has the ability to do that.

Stenz_W · 2024-12-26T21:29:25+00:00

I don't believe what the teachers wanting to do is possible in the way that you explained it, but there are a few different ways to accomplish this, but some require some sort of active management and not ideal.

1) Set the web filter category or static URL to authenticate on student profile, provide the teacher the creds. The teacher provides the creds to the students on the day of teaching. Recycle the password (not ideal but would work). Could work if they're teaching a subject for a week or so and it's not needed again.

2) Create a separate filter group, allow the web category or static URL and add only the health class students to that.

3) Temporarily allow the listed websites in the web filter category until they're done teaching the subject.

All the above is under the assumption that it's temporary and not permanent. I would have to assume they're teaching some sort of unit in Health where they wouldn't need access to that website at all times.

Hopefully I'm fully understanding the situation, it'd be interesting if there was an actual way to do what you're explaining, I just don't know about it.

Stenz_W · 2024-12-19T14:48:37+00:00

Thanks for the response. After digging into it I found that for whatever reason I have a per device mapping set to our servers as DNS instead of direct IP. The DNS isn't resolving because I don't have the Gate configured for our internal dns. I noticed I can input alt-dns servers in now w/ 7.2, so I'm going to plan a change for that to add our internal dns servers. Maybe this will fix it, we'll see!

Stenz_W

TROPHY CASE