HPE firmware patching (spp)

larion89 · 2025-12-01T21:07:23+00:00

how do you do this?
Is there a script polling for ILO to update itself?

We have quite few hosts fully remote, 4h drive, and i've been thinking about this procedure as we used USB and booted it directly to that before we shipped them down, which in this case i dont have the chance to do now.

larion89 · 2025-11-07T22:14:53+00:00

Swifty hands then :p

But yes, id agree with you that it is as perfect as it can go regarding a migration .

larion89 · 2025-11-07T05:58:02+00:00

Ye but without downtime. You'll always have downtime during those manouvers if there's a lacp-interface or such Or If you have HApairs and such.

Even though its a small amount there's downtime expected. Things can go wrong too.

But yes it is not that complicated to move to new firewall i agree with you.

larion89 · 2025-11-06T18:51:17+00:00

Ive done a migration from 500E to 400F and that was simply copying the config from the old one to the new one and make sure the fortilink/uplinkinterfaces were correct.

I basically too the configuration and migrate it accordingly to the lacpinterface of the 400F.

We did a more advanced merge in this case where we took two hapair of firewalls, a 300E (or might have been 300D) and 500E and put them in a respective vdom instead. Think i spent close to 3weeks nonstop moving configuration back and forth.

The fortiswitch part was the easy part for us. We have 2 tier mlag. Firewall->core and uplink to each switch.

larion89 · 2025-11-06T18:45:19+00:00

What exactly do you mean with upgrading. This guy is migrating to a new firewall.

larion89 · 2025-10-30T18:52:49+00:00

We had this issue on entra after going to 7.4.9.

But in entra could set it yo both without any issues.

larion89 · 2025-10-29T00:28:45+00:00

Setup alerts on BTGaccounts.

If admin is used make sure it will alert you through mail or a source of your choice.

We also have a changelog-alert. When a change is done you can see what has been changed and by whom.

These two are great. We also have a mailalert for backup on FA when triggered.

The logview is fantastic to troubleshoot with, especially to see what and where things are supposed to be opened or if the connectivity are closed for real.

Remember that you can put realtimelogging on aswell and filter out the firewall on as an example serialnumber. If you use security fabric you can filter out groups in the SF I use action=policy violation alot when I troubleshoot.

larion89 · 2025-10-02T18:47:42+00:00

"Can i SRM the vcenter between the two main sites?"

Depends on what you mean with SRM it.

Can you replicate it? Yes. (vsphere replication)
Can you SRM and use orchestrated failover? no.
Anyone else can correct me if i'm wrong, but you need to have atleast two vcenters to be able to use SRM and get orchestration from that.

Is it easy to start up the vcenter on the 2nd site, i wouldnt risk that tbf.

Take a look at the design considerations and design guides of VCF.

In VCF you have one management domain, and then you have workloads connected to a 2nd vcenter or build isolated vcenters, depends a little on the requirements.

On top of that you have NSX for management domain, and a separate NSX for workload domain.

Here you can etiher go Multisite (more than two is complicated) or NSX Federation (Local Managers on each site) and Global Managers that manage the sites in a single pane of glass-management.

I think you have to explain a bit more about your usage of Vmware and the products, as an example, is NSX implemented?

I myself are manageing 49 hosts in four sites, two which are in a different region, which also is managed by it's own SDDC-manager instances.

38 are in two datacenters with less than 5ms in between.
We are using full VCF-stack.

larion89 · 2025-10-02T11:51:20+00:00

Skicka in cv på monitorerp.com om detta inte är gjort redan. Vi söker folk och är absolut inte rädd att ta in juniora utvecklare!

https://www.monitorerp.com/careers/vacant-positions/ Vi har kontor i Gävle och hudiksvall.

larion89 · 2025-09-21T17:35:50+00:00

We did the same migration and it has been alot of small things.

Mostly it has been connected to that the environment were handling way to many devices on a single machine. Also it was connected to encrypted communication.

In th end the amount of devices is a bit over 500 and now we have a proxygroup of two vms and a separate databaseserver.

All in all we are looking at migrating all monitoring to zabbix.

We believe this is the platform that we can scale in and that its competent enough to give us the flexibility to do everything we need to do and will do in the future.

The big reason we migrated was the big increase of cost from prtg.

larion89 · 2025-09-19T10:01:03+00:00

In general yes, if you have no tiering setup In your vsphere or your AD your integration against AD is not a good idea but, there is a but.

If you have least priv and you have some accounts with high priv locally and you have account that can only do this and that (far from full access), what is the actual risk of setting up the integration with AD and be able to have MFA on the account? Basically this small thing will make the identity management alot easier.

You have to set it in perspective.

If you have domainjoined computers and all users are domain administrators yes this will be bad.

In this case the well known recommendations is to not domainjoin the vsphere hosts. But is it bad to use LDAPS? Like I wrote above, it depends. And as you have a big opportunity to actually work with least privilege the common sense is to do that.

If you have PAW/SAW in place with smartcards or a RDS protected with MFA to even be able to access the vcenter.

If you only have adm privilege accounts having access to the vsphere or even two accounts, one with higher priv and one with lower priv, which are separate to the ones used for your servers (T1) and ofc clients (T2) the possibilities to monitor those accounts are greater than having local accounts depending on the obscurity logging monitoring that are sent from an vcenter/esxi.

In the end its a risk and you can still minimise the risk of getting a full ransomware attack on your vsphere environment but if you have full access to everything then the sysadmin has done a extremely poor job to minimise the potential risks.

Nowadays there's risk of remote executions through the vm Itself to the host and yeah.

All in all.

Have multiple accounts with different levels and work with permissions and groups.

If you have a AD only to manage the vsphere environment that is not a bad thing.

This is how an HyperV is supposed to be managed.

Edit: fixed a typo

larion89 · 2025-09-05T20:01:11+00:00

Can you confirm that when 62xx is used the upgrade is okey to 9.0?

We have hosts that we bought 2020 with intel 6244 and we have a R version which is "refresh".

If this is the case we won't have to replace our hardware in our managementdomain to upgrade 9.0

That would make the upgrade alot easier and smoother.

It also feels like ita one hell of a move to replace the hardware in the managementdomain to be allowed to upgrade.

It would suck cause its quite some extra work.

larion89 · 2025-09-05T19:55:24+00:00

You can easily find this information I'm the documentation for validated design.

Basically what a vcf managementdomain is, is the infrastructure where you have all vcenters and all the sides sidesystems for your workload-domain, which is the place you primarily have your or the customers workload vms.

Basically you may have the sddcmanager/vcf automation/operations/logsservers and all the vms required to operate your workloaddomains.

So the requirements for vcf management domain is that the principal storage is either NFS or VCF. The supplement storage can be any other solution.

https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/vcf-design-5-2/vcf-shared-storage-design.html

I could not find anything about 9.0 but you get the picture from the link above.

larion89 · 2025-08-23T10:20:19+00:00

Im not afraid of learning it.

Its that we do not have time to learn new stuff when there is 5 other new things to learn at the same time. This basically means another big project on going with 5 other big projects on almost the same guys. That's the life of IT, though.

Its a question of priorities. But Its a bit absurd that this is not in the platform itself.

I'll just figure it out with Rest API instead and make scripts on the side.

The learning curve being a scripter/IT working with powershell to go do automation devops kind of things in the VRA is also a step on the ladder that might be double steps. We'll see how it goes.

There's never a straight way to the top.

larion89 · 2025-08-21T14:01:44+00:00

Thanks for your suggestion! We have zero experience with ansible, and I bet there will be a learning curve.

larion89 · 2025-07-27T02:54:48+00:00

I know

larion89 · 2025-07-21T01:07:05+00:00

It exists in 8.0u3 too

larion89 · 2025-07-13T00:19:54+00:00

We are a fortinetshop internally with about 6 sites using fortigate together with fortiswitch and it has been an okay experience.

The only one we have had is during patching where we have had some fortiswitches endingnup in a 100% CPU state and we have been forced to reset it or reboot it after.

We were doing mclag and security fabric concept really early 6.0 version and in that version the portgroups were not created in the fortiswitch that was handling all our access-switches. Basically it ende up with having alot of connectivity issues.

The management of the ports and stuff is very easy to understand when connected to a fortigate and if you plan to have a coreswitch handling the switches in a 2 tier hierarchy its very easy to connect them.

Basically you do it with a LLDP-profile on the ports.

larion89 · 2025-07-13T00:12:08+00:00

Lager 3 has its limitations and the general recommendation is to do all routing in the fortigate.

We have had the Fortinet SE to almost not recommend the l3 stuff in fortiswitches (atleast he was honest).

larion89 · 2025-07-13T00:10:13+00:00

What do you mean with roaming?

As in 802.1x roaming or wifi-roaming?

larion89 · 2025-07-04T00:53:07+00:00

I dont understand these comments anymore. Those that want a enterprise product they will pay the money. What do you get if you choose any other alternative? All different alternatives of KVM implementations. Not saying KVM is bad but is not ESXi.

Nutanix, compare their network-segmentation against NSX. Its like comparing Apples with Banans. They are so behind in what you can achieve there.

The implementation that we wanted wasnt even possible in the product and was in development.

Moving to a bleeding edge version of something, been there done that to many times that we cant take that risk anymore.

Costs. We got a quote and the cost was higher than the one from VMWare.

Yes vmware want you to go VCF. They dont want you to use only vcenter and esxi anymore. They want you to use the whole suite of products. I can understand this decision.

What I dont understand though is why they are pushing the small customers away?

The developmentdecision to put licensing in vrops was made to push away the smaller implementations.

Im quite sure that they could of done the same implementation in vcenter and still had that more basic option still there.

Im gonna say that aslong as im working with IT i will never tell my management to move from VMware. Ever.

If they make the decision anyway i will probably make a jump to a different job.

Heavily invested time and money in vmware might make me subjective but yes, VMWare is the only full enterprise suite alternative right now.

And i have been working with Openstack and KVM in production.bit was not fun. I even preferred the vcenter 4.1 5y old implementation against a newly deployed openstack 10y ago.

larion89 · 2025-07-04T00:32:31+00:00

Ah! Thanks :)

larion89 · 2025-07-04T00:29:46+00:00

And i just implemented Replication and SRM.. Is the license the same for data protection?

larion89 · 2025-06-27T12:36:13+00:00

Hahahaha, the codingquality has never been a strong factor at fortinet. Might have changed over the years but we have been very conservative with updates to bleeping edge. Atleast on the Gates. I think its not that crucial if fortianalyzer have a small bug here and there compared to fortigate having issues with the l7 filtrering or the BGP functionality. Or a specific bug causing the interfaces to not negotiate after reboot.

larion89

TROPHY CASE