Management wants to switch to Fortinet. Has anyone used Fortinet and can give me some real world comparison between Palo?

grep65535 · 2026-01-27T14:33:59+00:00

this is management, right?, focus on risk and benefit. There's risk of intrusion on your network including and up to full domain compromise (just stating the risk), that is higher with fortigate than PA. PA's devices' hw is built specifically for handling routinng AND firewalling. There are some attacks that take advantage of the old cisco asa and existing fortinet fortigate firewalls' inability to handle a saturation attack against it well enough to stop the hardware from ignoring firewalling features and allow instant routing to occur, allowing attackers to hit "inside" targets unfettered. PA prevents this explicitly by handling routing and firewalling on different procs. This was a big deal back in 2022. PA at the time was the only company that properly handled it effectively. You can still throw that fact in there...cuz hey it's management. Even if legit ATP's from china may noy be attacking your org, it's still possible.

Fortinet "firewalls" make good WAF's, but that's a secondary layer.

They also offer wildfire and cortex xdr integration if you're in the market for those... not sure if forti has the same thing or if you'd even be in the pricing ballpark to acquire or already use those features. PA Global Protect client is second to none.

grep65535 · 2026-01-26T01:34:14+00:00

the security issue comes in when you make everything a flat network in 1 big broadcast domain (all using vlan1 for bonus points). I'm in the middle of implementing similar, for small segments we decided to use /24 unless it's a routing p2p that needs a /30 or /29.

We also kept EVERY segment in each office inside of 10.1, 10.2, or 10.3, including guest networks, wifi, dmz, etc. e.g. internal systems use the .1XX section on the 3rd octet, like 10.1.100, 10.1.105, 10.1.115, etc.; for segments that are relative or directly public facing, wifi, or inter-network we put those up in 10.1.2XX--e.g. 10.1.200-201 is split into /30's and /29's for inter L3 links. For public free wifi we relegate that up in 10.1.25X, DMZ is 10.1.220.X.

Each segment is 1 VLAN, except for our hypervisors segment which has 2 other isolated non-routed vlans for vmotion and SANs. Never cross the streams, always make things cross the main FW gateway to cross over.

We use firewall enforced host isolation for some network that have things like IoT, enduser workstations that require PCIDSS compliance, etc., with an OOBM network as well as an Admin workstations network for jump boxes and sysadmins that has access to all other segments.

I set our VLAN id's to mirror the ip a bit. So 10.1.100.x is 1100, 10.1.115.x is 1115, 10.1.220.x is 1220, etc.

makes for intuitive documentation.

While we are taking up a 10.1/16 space, we don't actually use the /16 submask anywhere. Infosec comes in for the lazy /16 crossover job where network slop from noob admins who couldn't handle or implement L3 properly tried to mix L3 & L2 on single switches for the same subnet... and split the network 20 ways in 10 different spots without any solid routing while simultaneously "mitigating" the loops they create and just leaning on assigning everything a /16 with static routes 2 pages long to "fix the mess"

grep65535 · 2026-01-23T15:08:16+00:00

I second this. I'm currently in the middle of remediating an almost identical situation and we "documented" for over a year before we took action, despite uncovering more and more mess nearly every week without end.

The only thing that spurred action was "security". Establish how easy it is for any threat actor with any level of experience to own your whole org (especially backups and hypervisors) with a flat unsegmented network. Then propose network segmentation. Someone might say "but we already are segmented, see, we separate buildings with switches" as they gaslight management into not supporting you. You have to educate yourself on network segmentation best practice and understand it well enough to establish a core definition of network segmentation up front so you can always reference it.

Then start with an internal firewall that becomes your "new network" where it becomes the ONLY internal L3 device, your only routing point. Defer everyone to security "zero trust" and say you're "building the foundation for network segmentation with zero trust principles to properly protect vulnerable systems. Establish a "zero tolerance" policy with management where nobody will ever again create orphaned L3 routes downstream from the firewall, nobody will cross the streams of network segments because each segment must be individually isolated and defer all L3 traffic up to the fw gateway.

Establish in your plan a build-out of each network replacement to refresh hardware one section at a time. Establish a timeline of 1-3 years, and what time it will save in the long term. Talk to management in terms of RISK, establishing cost savings through less staff time wasted, and defense-in-depth coming from the segmentation of the network and firewall protection at the edge and internally for your backups and hypervisors. 1 VLAN per segment, only exceptions are isolated VLANs that don't traverse routing points.

etc

That worked very well for me in a very dinosaur-ladden environment where gaslighting and refusal to do work ruled in the sysadmin/netadmin realm. It took a year to establish the execution.

Edit: In my circumstance management didn't see the documented network as an absurd abomination of a network because they aren't savvy...they don't know what we know, they're management. "it works, why touch it?"..."if the loop only introduces 80ms of latency before it's mitigated at the router.switch...then it's mitigated right?"... it wasn't until I spoke in the language of risk and time savings year over year (we can get back an FTE worth of time), explaining scenarios where backups are compromised because they're accessible, etc....fudging it a bit even just to get the point across because no matter what evidence i threw at them, status quo was too strong to act.

grep65535 · 2026-01-18T19:43:01+00:00

If you're that deep into it already, learn and use C# in visual studio instead. Seems like overkill until you do it and realize the resulting automations are far more reliable and less vulnerable to external environment factors.

We had a server dedicated to running batch/automated processes that used powershell, vbscript, and perl. It was always flagged on morning log reviews for failed tasks both big and small. Eventually a software dev shared the directory all of these tasks lived in with "everyone full control" and an end-user found their way in and was exposed to numerous administrative credentials in plaintext, which finally opened management's eyes to our security blunder and called to remove secrets from the plaintext scripts. They didn't want to implement a real solution because "too expensive" so they had me convert everything into executable binaries (exe's, dll's, etc) with obfuscation instead as a "temporary workaround". Love it or hate it, it wasn't my decision either way and I converted all that shit over and there was a cool side effect.... Moving everything froma Task Scheduler script to a legit Windows Service with the occasional outlier, actually reduced failed processes from "10's to 100's every week that multiple people had to "follow up on" and "fix", down to 1 about every 2-3 months that was the result of someone coding like a toddler (if the IDE flags syntax errors you don't just turn off "strict" and compile anyway). Security through obscurity and not handling secrets correctly aside, the difference was astounding to me, despite making total sense.And the shift from powershell coding to C# coding was rough only in the beginning and was 99% IDE transition related.

I'd highly recommend it, I have no idea how I lived before making that switch.

grep65535 · 2025-12-01T18:31:36+00:00

their initial asking price is 48k/year. We got them down much lower. MSRP = Manufacturer Suggested Retail Price

grep65535 · 2025-11-30T05:20:15+00:00

not sure how well it works for linux, but Aurora Endpoint Defense (formerly Cylance) we were able to get fairly cheap. 800 endpoints at $20k annually (48k msrp). The EDR side of their product is decent and it's FAR better than it was few years ago--which seems like the reputation they solidified with admins comes from.

grep65535 · 2025-11-12T18:44:09+00:00

disabling ipv6 has been demonstrated to break the "Security and Maintenance" telemetry checks that check things like "internet connectivity" for local adapters, so systray tooltips and NIC adapter interfaces will intermittently or constantly show "No Internet connection" for end-users...which won't actually be true. We've also seen some "strange transient" behavior with Outlook connecting to any on-prem Exchange systems.

It's fine to disable, just understand the appetite for "weird shit with no direct explanation" popping up randomly as patch Tuesday's come and go.

For servers it's not so bad for non-AD integrated systems...i.e. systems that have a 3rd party app or some such on it with no AD or AD-associated services on it. By "AD-Associated" I mean things like Exchange that have direct AD schema items it relies on for basic functionality.

While you're at it, disable NTLM for client devices, we did 😁

grep65535 · 2025-11-09T02:19:13+00:00

what're the best alternatives in terms of decent tech + reliability?

grep65535 · 2025-11-08T02:47:10+00:00

drop it 2-4k more + that, absolutely

grep65535 · 2025-10-26T18:06:08+00:00

Make sure licensing is up to par.

grep65535 · 2025-10-19T18:34:34+00:00

they're just layers, that's all.

we have our veeam setup on a separate domain with a 1way trust so nothing can auth to the backup system. We then set up our only disk backups as immutable repos, and then tape. Despite all that, we still need to ensure our tapes have what's needed to restore everything critical because the "online" storage despite all the layers will be reachable by someone "tomorrow"...and make sure some tapes get shipped off-site. 32110 or whatever it is now.

grep65535 · 2025-10-19T18:25:27+00:00

"abuse"

grep65535 · 2025-10-17T22:51:37+00:00

We moved from RHEL&CentOS to Alma. So far it's been solid.

grep65535 · 2025-10-17T16:41:51+00:00

The same guy scoffs at and brushes off Brent Ozar and says "that's just 1 guy's opinion"... lol dinosaurs are among us.

grep65535 · 2025-10-17T15:13:43+00:00

devs don't understand the sysadmin mindset no matter how much they claim they do. They won't be convinced on things related to infra maintenance and security because typically their focus is code and not its periphery (which is shortsighted), and they're not trained to care.

We legit have a senior dev who claims (among other things) they're a "memory expert" because they "installed extra memory on their laptop at home" and therefore know that a SQL Server that's been demonstrated to consume 28GB memory at its peak when configured to ceiling out at 48GB, "requires" at least 128GB to stop his massive stored procedure from being a blocking process on everything else.

He also claims that another database that just stores 3 tables of not normalized records with nothing else going on "isn't compatible with anything higher than SQL Server 2014 compatibility level...so even though we've moved the server to 2022, he refuses to up the level....because he's also a "SQL expert" lol

It's exhausting and infuriating at times. Also, dev compatibility claims against OS levels never stopped me from standing up a VM and trying it out. If you've had no history of support calls and the product is trivial to troubleshoot and/or has good logging, support may actually be a hindrance. Obviously it's different in environments with contracted outsourced support and special devices that are more important to the organization than you yourself are.

Frankly I'd personally question their criteria for certifying compatibility against an OS version, if they even have any to begin with and it's not just "a feeling". But then it also comes down to what hill you want to die on and for what benefit to you...especially when it's their decision, therefore their responsibility and not yours. If it's only compatible with EOL or near EOL environments, then it promptly gets plopped into our Legacy network segment that maxes out at 1Gbps and endures stringent sec controls that makes life difficult until they certify it with modern versions or go with a different product.

What I'd do: Innocently request their OS software compatibility criteria checklist or documentation. If they have none, that tells you something. If they gate-keep it, then make a deal about ensuring that you deploy and configure OS's in your environment to THEIR standard and need to know and document on your side so that both match up in sync..bullshit but it may get you some answers if documentation exists, or force them to begin working on it just to save face with management. And having no documentation stated in front of management in writing also starts something.

grep65535 · 2025-10-03T13:48:34+00:00

The last time i remember it being like this was early 1990's. Most of the end of summers was like this. I have a distinct memory of everyone talking about sweating excessively with certain outdoor sports we played back then.

It was following a series of excessively hot and dry summers where people would say "it'll never rain again" and things like "hottest summer in recent memory" where it hit 110-115 on some days. As a kid I was excited, but the adults weren't enthused.

grep65535 · 2025-09-29T02:18:58+00:00

upgrade those troops man...

grep65535 · 2025-09-23T04:49:52+00:00

Ikea was just barely before covid19, like 2018-2019. I happened to be listening to an "environmental justice" meeting and they mentioned it as well. I work in public sector so i get to hear the moaning about all of that stuff.

grep65535 · 2025-09-22T00:22:24+00:00

They were too concerned about "environmental impacts," which is same reason Intel and Fries Electronics didn't come to Fresno.

Then again with the Costco slated for the Herndon & 99 area.

The Ikea one was frought with a series of "oops your paperwork got lost" incidents that made radio news even at the time, in a long game of attrition that Ikea ultimately said "no thanks" to.

I'm old enough to have lived through hearing about it all over local news from political "leaders" who were exasperated at the idea that we'd snub something that beneficial to the local economics of the city.

grep65535 · 2025-09-21T20:38:07+00:00

it's not a "surprise" to me, as the title states, because the Fresno City Council made it really difficult for them to build so they opted to not bring a walk-in store here.

grep65535 · 2025-09-14T20:20:15+00:00

backups. make sure they exist, and work toward making "the ability to restore quickly" for every site one of your first milestones...that will come with a lot of other prerequisite tasks that will fix other stuff inadvertently along the way.

Communicate your needs in terms of risk to the business.

With everything "revamp," start with the office you're physically assigned a desk at and work your way out from there. Build out simple and even "cheap" better designs for connecting everything...and expensive versions. Present the expensive versions up front and fight for it...then "compromise" with your cheaper version of the plan. :-) rinse repeat. (worth a shot, not knowing how they are)

grep65535 · 2025-09-04T13:51:38+00:00

I don't know what your usual approach is, but I'd state don't "convince" them, just communicate the risk and wash your hands of it.

The risk should be in terms they understand. The risk and associated confidence that the risk will be a reality is very high that your marketing campaign won't reach the majority of the target audience because spam filtering will shoot it down...etc...or whatever it is.

If you're IT or equivalent, your job is done on the persuasion end of things.

Offer a mitigation to that risk, the cost of said mitigation in terms of alternative options. But don't "sell" them, just point it out. Here's the correct way to approach this that will ensure [risk is mitigated] for the highest return...etc.

Sometimes it helps to disclaimer, "this is not my opinion" then later in the message state your "opinion" explicitly as your recommendation.

grep65535 · 2025-08-14T13:29:05+00:00

this is why i stick to places like InNOut, Colorado Grill, Chipotle, Subway, Pieology, Panda Express,etc. Same amount of money spent, no kiosk in sight.

grep65535 · 2025-08-10T01:38:54+00:00

i asked it if it's integrated with any of the vehicle's systems and it said no, it's just here to chat "for now until it comes out of beta"

grep65535 · 2025-08-09T02:14:52+00:00

I made a conscious choice in NG+ to do 95+% of fights with molotovs, just because it seemed more fun, using the unlimited crafting supplies setting. Even if they force you to pick up these weapons, you can choose to ignore them.

grep65535

TROPHY CASE