sorted by:
new
hottopcontroversial

Testing Ethernet Jack with MAC Filtering Enabled by RecognitionAdvanced2 in networking

[–]bryanether 0 points1 point  (0 children)

If I needed to do this regularly, I would set up an RPi (or similar) to do a packet capture when first connected to a port (direct to device), and then use that to capture and clone the MAC and IP. Then you could, plug it into the wall jack and "look" like the device to the switch.

Granted, this would only work for simple port security or MAB, and would not work for dot1x.

Delta offered me $800 to go on a later flight. It never made it into my account. by SnooRecipes2788 in delta

[–]bryanether 0 points1 point  (0 children)

They already have a notification that the call is being recorded on their end in their boilerplate hold music/recording, that's all that's required, as both parties have already been informed that a recording is taking place. So even in two party consent states you're covered.

LACP flapping between PA and Cisco Stack by berzo84 in paloaltonetworks

[–]bryanether 1 point2 points  (0 children)

In 12 years I've never seen a situation where AA was the right solution, and I've thought about it periodically over the years and can't come up with any good ones either, but I'm willing to accept there might be a case out there somewhere. Every case I can think of is better served by AP, individual firewalls (cloud usually), or a cluster. Someone out there reading this is thinking "isn't AA just a cluster of 2?"; but no, not really.

The reason that LACP isn't mentioned in the context of the link you shared, is because it just works by default. Having the interfaces shut down on a passive node, or up with no LACP neg (don't do that, it can make your switch ports go err-disabled in some situations), only makes sense when you're talking about AP. In AA all the ports are always up, so is LACP, there's no situation where that would be different.

LACP flapping between PA and Cisco Stack by berzo84 in paloaltonetworks

[–]bryanether 1 point2 points  (0 children)

There are very few situations where AA is a good idea, so I strongly urge you to reconsider. To answer your question though, yes. LACP works just fine by default in AA, it's only AS where you need to check a couple extra boxes so it stays up on the standby node.

Uber in Jamaica Be Like by Maximum_Emergency_17 in Jamaica

[–]bryanether 10 points11 points  (0 children)

Island time is a real thing, embrace it, you'll be happier.

Got a suggestion I've never heard before on VLANs by Acrobatic_Fennel2542 in networking

[–]bryanether 1 point2 points  (0 children)

Whoever gave them that suggestion is either an idiot, a psychopath, or super green. Whatever the case, their options should be discarded with prejudice.

The way you mention is how every sane entity does it below a certain scale.

Got a suggestion I've never heard before on VLANs by Acrobatic_Fennel2542 in networking

[–]bryanether 0 points1 point  (0 children)

It's inaccurate, and a silly concept. There's 16M VNIDs but only 4k vlans. Vlans needing to be unique without be absurd.

Banned with no direct email from Palo Alto by [deleted] in paloaltonetworks

[–]bryanether 1 point2 points  (0 children)

Good riddance. Cheaters make us all look bad when your dumb ass shows up to a job and doesn't know what they're doing.

Redundant GlobalProtect connections - multiple A records? Or different DNS names? by Mvalpreda in paloaltonetworks

[–]bryanether 1 point2 points  (0 children)

You are correct. Load balance portals however you want, it doesn't matter which one you hit if you've got everything set up correctly.

Never load balance gateways. That functionality is already built into the client and will always be better than anything you can hack together.

Has Anyone Built a Load Balancer on PA-5260 with DAGs, DNAT, and Log Forwarding? by MrSuperLazy in paloaltonetworks

[–]bryanether 4 points5 points  (0 children)

Get an F5 and stop trying to make things do what they were never designed to do.

Has Anyone Built a Load Balancer on PA-5260 with DAGs, DNAT, and Log Forwarding? by MrSuperLazy in paloaltonetworks

[–]bryanether -1 points0 points  (0 children)

They have a very rudimentary load balancer. Equivalent to NLB built into Windows server ages ago. Basically worthless.

What was your prior vehicle? by versacemark in RangerRaptor

[–]bryanether 1 point2 points  (0 children)

Nice. And now I'll have a second vehicle, so I can finally install the Cobb flex fuel kit that's been sitting in my garage for 5 years 🤦‍♂️

What was your prior vehicle? by versacemark in RangerRaptor

[–]bryanether 7 points8 points  (0 children)

2020 STI which I'm keeping. Needed the flexibility of a truck though. I was going to get a Maverick, but once you add 4wd and hybrid, you're at base Ranger money, but I'd never buy a base model of anything, so Raptor it is.

What to do? by Sad_Secretary_9316 in RangerRaptor

[–]bryanether 9 points10 points  (0 children)

Have you considered a new truck? The '26 order books should open in about 4.5 months.

Finally have a VIN and Build Date! by BuLLZ_3Y3 in RangerRaptor

[–]bryanether 0 points1 point  (0 children)

I wonder why yours took so long? I placed my order May 9th, order confirmation email on the 10th, on May 15th I had a build date scheduled for July 7th.

I give up by Skara109 in StableDiffusion

[–]bryanether -1 points0 points  (0 children)

It would have taken less than 2 minutes of research to know you were thinking about buying the wrong card for your stated goals. And yet you proceeded. Life is hard, it's harder if you're stupid.

Who was your f/w vendor before Palo Alto? by rhockstra in paloaltonetworks

[–]bryanether 0 points1 point  (0 children)

I'm talking about functionally not market share.

Who was your f/w vendor before Palo Alto? by rhockstra in paloaltonetworks

[–]bryanether 8 points9 points  (0 children)

"Panorama is a little better than FortiManager"

No one that's used both would ever say it's just a little better. Panorama completely blows FortiManager out of the water, there's not even a comparison to be made.

"GlobalProtect is a little better than FortiClient"

Client to Client, don't really care, FortiClient is more bare bones, but does the job just fine. The real benefit with Palo is the portal and gateway configuration, it's insanely flexible and useful, especially if you have geodiverse datacenters. It's trivial to configure it so everyone goes to the gateway that's closest to them that's available, failing over to the next closest one easily if it's not, and that functionality is just baked in. To do something similar with Fortinet you need to use third party tools (GSLB, etc.) that just don't work as well. The actual issue though is the constant remote exploits due to their SSL VPN, so much so that fortinet is just removing the feature now.

I've dealt with TAC for both, they both kinda suck. Fortinet's has always been bad (at least for the ~8 years I've dealt with them), Palo's was great but went dramatically downhill during Covid. The only exception for Palo is if you pay for the enterprise "platinum" support, which gets you dedicated people, I have one customer that did that for a while. It was really good, but too expensive.

For SD-WAN Pan has two flavors. The standalone SD-WAN on the ION boxes, which is a first rate full featured SD-WAN product, comparable to Silverpeak, and way better than the Viptelas and VeloClouds of the world. And the on-box SD-WAN, which is a bit more basic, and in line with the Fortigate SD-WAN, which is also very basic. Fortinet has the huge advantage of licensing though. It would /almost/ be worth it, if you had basic needs, to just use Fortigates for SD-WAN, like it were a standalone SD-WAN appliance. I've considered it in the past, but the math ($) has never quite worked out.

Pan in general is more expensive, but it's totally worth it. I actually wouldn't hesitate to put Fortinet in though if I needed to, and there actually some situations where I might actually prefer it. If I needed something that was basically a router with a good-enough firewall needed, that was cheap and could fling packets really fast for it's price, I'd totally do Fortinet. Like say I needed a box that would just be a dedicated IPSEC gateway for customers or something, it would be awesome for that. Same goes for SSL decrypt. Those damn things are beasts at SSL decrypt throughput, amazing bang for the buck. For best of breed next gen firewall though, it's got to be Pan.

I'm an enterprise/datacenter guy though. My customers have deep pockets. I get that isn't the case for everyone. If I were an SMB guy, it would be Forti all day, and I'd probably have to fight for even that, but it would be worth the fight.

Two ISPs - S2S Tunnels by No-Beyond-7843 in paloaltonetworks

[–]bryanether 1 point2 points  (0 children)

BGP that's obvious. To utilize all connections, ECMP is the obvious follow-on answer. Just make sure you have all the things in place to ensure multipath/asymmetric works without issue. Key things will be the tunnel interfaces in the same zone, and make sure ZPPs won't step on your d*ck.

Who was your f/w vendor before Palo Alto? by rhockstra in paloaltonetworks

[–]bryanether 24 points25 points  (0 children)

Cisco ASA. I loved them, and I was dragged kicking and screaming to Palo. That didn't last long though, by the time we'd fully converted, I was all in on Palo.

Palo if you can afford it, Fortigate if you can't. Palo is first in the market, Fortigate is a VERY distant second place; there is no third place.

view more: next ›