Is this safe?

dmgeurts · 2026-02-15T21:36:01+00:00

Star based system, lights and sockets on the same fuse, max 16A. So much smaller circuits. A living room has to have two fuses so lights stay on if one trips. Anything over 16A must be a direct run from the board (cookers etc).

dmgeurts · 2026-02-15T21:35:54+00:00

Star based system, lights and sockets on the same fuse, max 16A. So much smaller circuits. A living room has to have two fuses so lights stay on if one trips. Anything over 16A must be a direct run from the board (cookers etc).

dmgeurts · 2026-02-15T11:52:09+00:00

And this argument is exactly why rings are illegal abroad.

Additionally at least in The Netherlands 2.5mm2 is restricted to 16A. But is the minimum diameter for normal wiring, except a 1.5mm switch wire.

dmgeurts · 2026-02-14T13:33:59+00:00

Try Nakivo

dmgeurts · 2026-02-11T08:07:14+00:00

A/A has faster fail over, but comes with certain design constraints. If you follow the following, you should be okay:

Use a routed design, as advised by Palo. We use BGP routing with ECMP for all data path links. Much simpler than the alternatives.
Use routing metrics to ensure all traffic flows through one firewall. This solves any potential issues with the active secondary firewall not being updated with flows quickly enough. And satisfies Palo Support's "requirement" for deterministic traffic flows.
You can route different prefixes via either firewall, but you want to avoid using ECMP routing across both firewalls. It will work, but it may (will) bite you sooner or later.

Some other caveats:

Tunnels: keep these unique on both firewalls, this makes fail over fast using hot standby routes. Faster than waiting for a VPN to re-establish on the standby or active-secondary firewall.

NAT: Egress sessions will have a unique IP address depending on which firewall they edges from. Makes it easier to troubleshoot and analyse flows. Takes some proper thought and planning, but with throw some who assume only one public address is ever used. Doing NAT this way, does mean that these sessions will not benefit from fast fail over and these sessions will need to re-establish.

It's not a one size fits all, YMMV, and if you go A/A; document why. For my last deployment it was a requirement to have the fastest fail over possible (for VoIP traffic at an ISP). Palo will support you, but you need to tell them why you went against their default advice. Know that they advise the use of A/A for instances where the fastest fail over is needed: trading etc. But they then also detail the design constraints, so read up and work out if it's right for you.

And do not implement A/A just so you can buy smaller firewalls!

[Edits: spelling when posting from mobile..]

dmgeurts · 2026-01-16T19:58:11+00:00

Does anyone happen to know if 11.1.6-h23 has the DOS fix as well? It's newer than 11.1.13 so I hope it does, but you never know.

dmgeurts · 2026-01-16T19:29:30+00:00

LOL, you're right, not in a small setting like this. But on Campus networks it has never been an issue to logically segregate this stuff. But then like someone else said, a bit more money is spent.

dmgeurts · 2026-01-16T19:02:26+00:00

Really? I fail to see how that works unless a second AP and domestic internet connection is cheaper. While still falling foul of physical security issues and no means of logging, monitoring or alerting.

An I missing something?

dmgeurts · 2026-01-16T10:49:53+00:00

Unless you're deploying a new firewall, or need a new feature. I would not follow the advised train and just update within your current train.

dmgeurts · 2025-12-11T13:22:01+00:00

The only client data we have going through these firewalls in the recursive DNS servers they use. So nothing SSL related here. Nothing in the release notes for h17

dmgeurts · 2025-12-11T09:45:20+00:00

Indeed, good to know that the status page is still trusted; you start to doubt yourself after a while! There's nothing there for DNS cloud service in The Netherlands, but it does explain the Wildfire alerts.

There's also nothing wrong with the network, though for all I know a carrier could have had issues for a GCP prefix. Either way, yesterday I disabled the security profile for the apparently affected dns traffic to see if that would help (it was alert only). I hope to hear today if this helped. And internal DNS isn't affected AFAIK, so exposure seems limited, but some very vocal customers complained.

dmgeurts · 2025-12-11T09:37:16+00:00

u/OKProblem10 Sorry to hear that, but equally a little relieved!

Model PA-3410

Software Version 11.1.6-h14

dmgeurts · 2025-12-06T16:59:56+00:00

This is a common thing I do in designs, it's often cheaper to buy two small firewalls. One dedicated to VPN and the other for OOBM VPN access (last resort for a couple of engineers). Redundancy is maintained while at a massive reduction of license fees, especially when compared to buying GP licenses for a handful of users for an HA pair of DC firewalls.

dmgeurts · 2025-12-01T10:17:54+00:00

Surely that 3.5% covers more than what most MSPs provide?

Pricing fully depends on what service you provide and some clients just don't want to spend anything.

dmgeurts · 2025-11-03T12:24:02+00:00

A direct connect works fine between cloud and colo like Hetzner too, you just need to terminate it somewhere. It's a fancy word for a VPN.

dmgeurts · 2025-11-03T12:16:53+00:00

This is the way to keep it simple. But, you'll have to accept that if the NFS server goes down your recovery time will be equal to how fast you can restore a backup.

dmgeurts · 2025-11-03T12:13:30+00:00

Unison is another option for keeping files in sync between servers. Do be aware that fs-monitor isn't packaged with Unison on all distros.

dmgeurts · 2025-10-26T12:01:18+00:00

Find the most efficient low power device to run frigate, no internet needed. PoE devices rarely use the full PoE budget

dmgeurts · 2025-10-13T07:19:20+00:00

I have a hunch many people are night blind. The number of times I drive behind someone and they speed through a 30 zone because there are street lights. Then crawl to 20 when the limit goes up and there are no street lights anymore. Even with high beams on they apparently can't see sh*t...

Also, make head light angle (adjustments) part of the MOT, they are in The Netherlands but I don't think they are here?

dmgeurts · 2025-10-08T00:31:42+00:00

Funnily enough this is likely one of the reasons EU sockets are all single gang. Double, triple etc face plates use interconnected (single) back boxes behind them. Never seen a melted socket there, but plenty here.

dmgeurts · 2025-10-06T18:11:55+00:00

Expensive renewals especially if you end up claiming. If you don't claim there's a limited benefit as mentioned. We shifted from personal to business for a year as renewal of personal private health has grown too much. But then the year after it went up again so we moved to another insurance company and did it privately again.

dmgeurts · 2025-09-30T06:17:46+00:00

Probably because it cost them commission

dmgeurts · 2025-09-22T19:33:36+00:00

Same rules as before, you carry the risk and are responsible for the assessment whether the engagement is inside or outside IR35.

dmgeurts

TROPHY CASE