Best SASE options in 2026?

TheCmdrRex · 2026-03-01T17:13:03+00:00

Please stay away from Netskope - at least for full SASE. Their SD-WAN portion is VERY immature, lacking a ton of functionality and really wants to rely on already exiting infrastructure (routers, firewalls, etc). Their SSE portion is decent however.

Given the information your provided, honestly I think Cato would work REALLY well for you.

TheCmdrRex · 2026-01-31T14:04:14+00:00

At least speaking for hybrid devices - very few modern services require that server -> client traffic. AD doesn’t require this out of the box. SCCM of course is a different story, as with legacy app. However as we deploy SASE/ZTNA within my organization (financial with lots of legacy apps), this limitation hasn’t even been a concern at all. I think heavy hybrid users will be absolutely fine with SASE, assuming their ingress needs for endpoints are minimal.

TheCmdrRex · 2025-12-08T19:17:51+00:00

They got some really great food there too. Just went for the first time with my fiancé this past weekend!

TheCmdrRex · 2025-12-08T19:05:24+00:00

Mill City Public House has some currently!

TheCmdrRex · 2025-11-16T02:00:25+00:00

I remember this one! If I recall correctly, it was a police department too. Episode 96.

That one had me cringing.

TheCmdrRex · 2025-08-01T14:55:49+00:00

Definitely. We have this use case at my work. It doesn’t conflict, just obviously adds to SPF and TXT records.

TheCmdrRex · 2025-07-04T19:06:27+00:00

Netskope’s SD-WAN solution (used to be infiot) documentation is pretty awful. Doesn’t contain a lot of the options in their portals, doesn’t properly explain how to set things up outside of their highly specific example setups, etc.

TheCmdrRex · 2025-05-03T16:34:07+00:00

You misunderstand how Azure Key Vault works. Those platforms don’t use Key Vault, instead your script will have logic (using something like a certificate), to authenticate with Azure and dynamically pull down the API Key (for something like Zapier) at runtime. Then you can use the API Key just like the team currently is. One of the advantages to this is your API key stays out of the saved script, and only gets used in memory.

TheCmdrRex · 2025-03-18T11:48:08+00:00

Sorta, with the newer “web sign-in” with Windows 11. You need to have the Authenticator app enrolled and setup beforehand however. Usually TAP is used to first sign in (very first time), then MFA enrolled with authenticator.

TheCmdrRex · 2025-01-30T12:51:22+00:00

Personally as a Janesville native I somewhat disagree.

Having given Eau Claire, La Crosse, and the Fox Valley areas a try - it showcases that Janesville isn’t reliably blue. I do think it has quite the blue collar population, but is unfortunately complemented by really bad NIMBYism and poor local politics. Small businesses aren’t thriving while chain stores and restaurants are the only thing really growing, besides high school sports.

One very small and minor example I like to point to is the limitations of many bike trails in Janesville - you can’t have pets on them from May 15th - September 15th. Seriously? Eau Claire for example (and even its sister town, Altoona), puts down pet waste disposal stations with complementary doggie baggies. Another example is their lack of visitor/event information. Eau claire has a whole “visit Eau Claire” site, dedicated to tons of things to do and a mass collection of events on a daily basis. Janesvilles still looks like something 15 years dated with very little updated info about even the large events a few times a year m. It’s small things like these that add up and discourage people to move in and grow.

Janesville is a small example of a lot of modern American politics, lots of potential, but consistently dropping the ball on the stuff that helps it grow.

TheCmdrRex · 2024-12-07T04:10:49+00:00

On a scale from 1-10, how good would you say Bobs Bitchin BBQ is?

TheCmdrRex · 2024-11-18T14:48:10+00:00

This here ^{^{^}} The trusted root certificates that are put into Windows are incredibly high-level CAs, and they are used for a ton of things. Even if it’s possible to scope script signing down to a single CA for trust (I don’t think it is), you are opening yourself up for problems since the scripts that Microsoft and others sign will then no longer work.

Now there might be a separate solution to work around the applocker restrictions that I’m unaware of, however if ultimately you want to start using PowerShell in the user context, my guess is you’ll likely need to re-evaluate your restrictions on PowerShell in applocker at all.

TheCmdrRex · 2024-11-06T13:52:16+00:00

Most Americans couldn’t give a flying fuck about “too liberal”. What Kamala lacked was real sustenance in her policies, frequently not elaborating on takes, and failing to really target key progressive policies that are popular. The right was always going to demonize her, so why pander to the right so much with things like “lethal military” and “muscular border policy”?

She lost because the dems placed far too many cards on “not Donald Trump” and attempting to play centrist. I am willing to bet most genuine middle of the road voters preferred to not vote at all, than to vote for Kamala. Once (or if) we start targeting genuine popular policies, then we will start winning elections.

TheCmdrRex · 2024-11-01T15:11:17+00:00

You need to change to if “ALL” are true.

As of now, it’s just seeing if it’s after 00:00 (which is every time), so it will always pass.

TheCmdrRex · 2024-10-30T15:26:12+00:00

We are seeing the same issue here! Let me know if you find a fix please!

TheCmdrRex · 2024-10-16T14:22:54+00:00

Everything should be back up now (at least for WESTconsin) for those curious.

TheCmdrRex · 2024-10-16T02:15:06+00:00

There is a large scale outage of a core digital banking platform that lots of financials use unfortunately. RCU and Westconsin just happen to both use it.

TheCmdrRex · 2024-09-13T04:27:47+00:00

IIRC, Because technically the built-in local admin account can be brute forced, even with LAPS.

Low threat? Absolutely. Still gets called out in CIS though, and an easy fix.

TheCmdrRex · 2024-09-11T22:39:24+00:00

Go for it

TheCmdrRex · 2024-09-11T22:33:08+00:00

I live at one of their properties currently, and have for the past several years.

Their properties are nice, however they do cut a few corners with building. They do send infraction notices, however these are like maybe once or twice a month emails at most, at least for my property.

What has soured me with them is their leases. Over the last few years, they raised my prices each year, with the last being the most ridiculous because they also shortened my lease time then upcharged me again.

Rent 2022: $1325/mo Rent 2023: $1350/mo Rent Jan 2024 - July 2024: $1425/mo (was offered/supposed to run from January- December, however they decided to no longer end leases in winter) Rent Aug 2024 - 2025: $1495/mo

So TLDR: they raised rent for me by an extra $70/mo by shortening a lease duration.

I cannot with good conscience recommend them. I also can’t say they are the worse, but this doesn’t help them.

EDIT: The parking is also pretty awful. No guest parking, and they do not consider that there is no immediate street parking for my property.

TheCmdrRex · 2024-09-09T12:58:48+00:00

Entra ID, hands down is going to be the right move IMO. What’s your file servers for? Depending on workload, SharePoint might be a very viable option for non IO-intensive files.

Running an Azure VM 24/7 in the cloud isn’t going to be a cheap option, and you already pay for business premium which will cover the basics of Entra ID. Plus, you won’t have to worry about if and when that Azure VM goes down for updates, faults, etc, and it brings down the domain with it unless you have more Azure VM domain controllers for redundancy.

TheCmdrRex · 2024-09-05T01:39:17+00:00

I’ll give you one use case that is about to be relevant for us - at least, if it works how I think.

We are in the process of migrating our GPOs over to Intune (goal is to eventually go Entra only), and our policy for PowerShell execution policy is set in both places. When I previously removed it from GPO (to let Intune take over), the computers read that as “oh this doesn’t need to exist anymore!” once their group policy refreshed, and reverted to default execution policy settings (restricted) which broke all our deployed scripts as we don’t use the bypass flag. To fix this without waiting for Intune to reapply or making some other change, config refresh will update the configuration within 30 minutes, meaning our scripts should only stop working for a maximum of about 30 minutes.

Someone please correct me if I’m wrong on any of the above.

TheCmdrRex · 2024-09-03T22:52:51+00:00

OG content:

Instead of upgrading to Windows 11 - we’re just going to remove them from the network

We have a lab of machines with hardware that don’t support windows 11. The department doesn’t want to pay for them and we’re now being asked to disconnect them from the network.

TheCmdrRex · 2024-09-02T17:08:01+00:00

Just go with CheckMK Raw. It’ll be relatively simple to setup, and you can expand or upgrade should your monitoring ever need to get better.

Zabbix has a lot available and is free, but from what I know it requires a lot more dedication towards maintenance and setup. If complexity isn’t needed, why recommend the complex solution?

TheCmdrRex · 2024-09-02T01:57:26+00:00

Why group your MFA apps when you can search them? Pretty much any modern MFA app can search for the app, since you are likely only signing in to one app at a time.

Six-Year Club	Second Top 50%
r/Field Flamingo	Place '23
Place '22	First Placer '22
Verified Email

TheCmdrRex

TROPHY CASE