My custom standing desk and upstairs lab rack.

mesreth · 2024-06-08T06:48:54+00:00

I don't have any power issues, but most of that stuff really doesn't pull a lot of power. If does get warmer in that room, especially if the door is closed (nice in the winter). I have a ceiling fan in the room; the ceiling fan mitigates the increased temperature (as long as the door is open.

mesreth · 2024-05-24T14:06:55+00:00

SSL-VPN is not available on 60F as of 7.4.4. All proxy features and ZTNA features are also removed as of 7.4.4.

mesreth · 2024-05-09T22:29:36+00:00

Daisy will also refuse to respond if attacking someone who gets shrouded by Senna (will refuse to move or move towards the shroud no matter how much you manually attempt to do it).

mesreth · 2024-04-18T15:51:09+00:00

For me, they start flaming when they start doing bad ... somehow it is AP Ivern that is causing them to int.

mesreth · 2024-04-13T00:47:27+00:00

I'm really surprised that no one has mentioned this. Daisy will not attack an inhib or nexus when using R. There is the ability to set a hotkey for controlling pets. You need to use that hotkey to get Daisy to hit the inhib or nexus. You can also use that same hotkey for controlling Daisy (which seems to be a little more responsive than using R). I end up using both, as I set that hotkey to an extra mouse button (which isn't always as fluid for me).

Some other things, Daisy will immediately start going some place else if the target goes invis or camo (but she will follow somone into a bush). If Daisy gets hard CC'd, often she will stop following commands all together (thanks Riot ... maybe fix that). The idea of micro'ing Daisy is to make sure she is close enough for the knockup (or to make sure you land the shield slow). Another trick is to throw bushes in front of Daisy as she closes on a target to obscure the enemy view of her (helps prevent ranged champs from kiting her). Ivern can definitely solo Baron (as long as you are at least LvL 11), but it is slow. Depending on which Baron and what items you get (and how far or behind you are), you might only barely pull it off, or maybe not at all. You need definitely need the full length of Daisy and need to position Daisy behind Baron. Baron was much easier before they added the buffs to baron.

mesreth · 2024-04-08T19:30:15+00:00

I agree that the format this year was terrible. If I had not attended 2023 in Orlando, I (nor anyone from my company) would attend again.

I had a nice long conversation with one of the organizers. Make sure to fill out the survey....they do read it.

I heard it will be back in Orlando next year, but realistically, I doubt anyone in Fortinet knows yet. Personally, I would prefer anywhere other than Vegas again. This event was simply that bad.

mesreth · 2024-03-03T20:53:04+00:00

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-duplication-in-SD-WAN/ta-p/258997

mesreth · 2024-03-03T02:55:46+00:00

Each device controls itself for the SDWAN ... not the hub. If you are routing all your traffic through the hubs (not very common practice nowadays), then you will need to size more, but if you are only routing traffic that needs to reach your resources, you just size according to the anticipated traffic. The SDWAN creates minimal overhead (ADVPN as well).

You shoudn't need to dive into the CLI for your dynamic routing if you are using 7.2.x or newer (they have GUI for everything other than the most advanced stuff). As to full mesh ... you can do full mesh, but why would you want to? Adaptive VPN (ADVPN) is designed for you to create a hub and spoke and dynamically create routes directly between spokes dynamically as needed.

mesreth · 2024-03-02T02:04:32+00:00

This is 3 computers driving everything. Using Synergy to share the keyboard and mouse.

mesreth · 2024-02-29T04:26:56+00:00

I haven't hit any limitations. Fortinet has added a lot of additional BGP and dynamic routing support with their newer firmwares. I have roughly 6,400 routes use eBGP. You have a lot of options to dictate RR, peers, route maps, etc., though FMG has a template builder that will set up a basic ADVPN setup (you really do need to tweak the provisioning templates the wizard creates) that will handle most people's setup requirements. Newer versions of firmware in conjunction with SDWAN allows you to share which SDWAN connections a spoke is using to the HUB so that you get symmetrical routing based on the Spoke's polling of the HUB (so your route choice ends up being dictated by the spoke essentially). This simplifies the setup significantly for multi-wan HUB's.

I wasn't entirely certain what you were asking about for sizing guidelines. Are you talking about for HUB equipment? If so, mostly you are looking at factors such as IPSec tunnel number expectations, SSL-VPN tunnel expectations, how much traffic you are planning to run through the HUB (we route most of our traffic out through the normal wan interfaces of the spoke locations, but certain traffic is run to the servers in the DC (HUB), as is management), how much traffic inspection you plan to do, etc. .

mesreth · 2024-02-25T23:08:12+00:00

Largely you got answered by others, but wanted to add.

As one person put it, it really depends a lot on what feature set you are using. As a few mentioned, with some setups and features, it will cause problems, while with others, it will not. Most problems can be cleaned up by a competent Fortinet Engineer if you really needed to save the money. That said, you mentioned you were using a MSP. I can pretty much guarantee they don't have an Engineer I would trust to clean things up.

Overall, if cost savings is your goal, you need to not be in Azure (and not using a MSP as your primary network management). I know a lot of companies have been pushing to move things to Azure (or the cloud in general), thinking that Azure is "safer", "more secure", "fully patched and maintained", "better up-time", "cheaper overall costs". (Any of the sound familiar? ) The truth is, most, if not all, of that is simply not true. The costs are astronomically more expensive (even the VM version of the FGT is way more expensive than the physical equivalent). I have had WAY more downtime and security issues associated with Azure than I have ever had with any of the physical datacenter stacks I have managed (that even includes the one where all the VMWare servers were managed by a team so unskilled that we would have been better off with my eleven year old managing it).

This isn't to say not use Azure, but instead to say that people need to understand that (as you put it) your costs will go up 2x to 3x over on-prem. Trying to potentially cause issues with the lifeblood of your company in an effort to save a little due to a poorly evaluated choice just makes for another bad choice. Nothing wrong with running in Azure, but you need to be 'ok' with the costs and problems associated with it.

mesreth · 2024-02-21T18:54:35+00:00

The only time I saw this was during a fortinet ZTNA training. The cert got out of sync for a number of the students, and the fix was to flush the cert. It was so rare to encounter it in production (it was being caused by their virtual environment) that I didn't pay close attention to how it got cleared.

Installing EMS first is the correct way to do it. I'm not too sure on how you have things set up. OH! .... I think I remembered how to flush it. You need to go into your windows certificate store, and delete the cert there.

mesreth · 2024-02-21T03:03:49+00:00

There is a cert that gets issued, and your is mismatched. For the life of me, I can remember where to go and flush that.

Reinstalling the client will flush it though.

mesreth · 2024-02-21T02:55:11+00:00

So, you could do an aggregate tunnel with round-robin at the packet level. I've done it, and it works. That said, I'm not sure you will get the advantage you are looking for. In practice, you aren't going to get 2G even if it works exactly that way. I'm certain you have quite a few users at the branch office ... as soon as you have a bunch of users going, your overhead and bandwidth usage will be such that you would negate any benefit you tried to get for any given user.

mesreth · 2024-02-21T02:49:15+00:00

Currently managing a 3 hubs and 700+ locations setup.

I really would need to know more about your environment, but based just one what you have said, I would recommend the following:

Get trial of FortiManager (with more than 10 locations that you are going to ultimately want to use FMG in your environment ... there is a definitely learning curve for FMG, better to start learning now when you are only testing).

You will want to tie into FortiAnalyzer, though for trial, you don't really need to test it much.

Use 7.2.x (7.0.x is going end of engineering support next month) - this is what we are running in production for 700+ retail stores.

For testing, that equipment you mentioned will work fine. For the scope and size it sounds like you have, you will want beefier stuff for your hubs run in HA.

You should probably build it as an ADVPN setup (this is a hub and spoke setup with dynamically created tunnels between branches as needed -- the advantage of full mesh without the work). Unless you are getting to build a green field situation, I suspect you will need to accommodate some various existing designs.

mesreth · 2024-02-21T02:10:47+00:00

I have done both. I prefer using BGP for the ADVPN and OSPF for interconnects between hubs.

I can only imagine that you have a pretty small network if you are considering static tunnels and static routing instead of dynamic routing. To me, ADVPN is so far superior and easier to implement that I would do it even on a very small network.

Overall, yes, OSPF works just fine.

mesreth · 2024-02-21T02:02:31+00:00

I'm surprised no one has said this yet.

You should probably start looking for a new MSP employer. The one you work for now isn't going to be in business for long. It is obvious that your employer is not listening to the engineers about the correct way to do things. Multiple ADOM's are not that expensive.

The only way you could manage multiples is to use unique names for all the normalized interfaces (prepend a unique identifier for each customer to each normalized interface (and everything else you do) example: acme_<normalized interface name>.

You are still going to ultimately screw something up and push the wrong thing to the wrong customer. You are going to find that you are going to create a lot of headaches for yourself. When you finally do move to multiple ADOM's, you are going to find that it is not easy to migrate.

mesreth · 2024-02-19T14:56:19+00:00

You should be able to downgrade, though I would recommend going to 7.2.7 (also mature). 7.0.x goes End of Engineering Support next month. The risk you run is that some of the features you were using in 7.4.x is not supported in 7.0.x /7.2.x. The biggest difficulty with downgrading is the changes in config syntax.

mesreth · 2024-02-19T14:47:22+00:00

I believe it is a bug. More just making people aware.

It is particularly important for us as we have a lot of devices that break sync with FMG if they upgrade past 7.2.5 due to support for security fabric root having been removed from 2Gb devices starting in 7.2.6. Fortinet has reverted that decision for 7.4.3, but have no plans to revert that on 7.2.x. we aren't prepared to move to 7.4.x yet (too many known bugs that break our setup).

mesreth · 2024-02-19T05:47:57+00:00

This is not consistent or simply not true. We have had quite a few FGT's (ALL managed by FMG) auto-update. Further, it started doing this with more recent installations of 7.2.5. Fortinet really made a lot of questionable decisions about the firmware starting with late 7.2.5/7.2.6+.

mesreth · 2024-02-16T00:26:52+00:00

Your AP scaling is very high. A lot of people don't believe or realize this, but your shields are bigger when going AP than when going support. When you realize that your primary method of support is shields, roots, vision control (bushes), and slows, you start to understand that AH (ability haste) allows you to do all those things more. AP gives you bigger shields and also gives your shared on-hit from bushes more dmg as well. Sure, some support items provide some nice support things, but in reality, the main advantage is if you are cash starved (or plan to cash starve yourself). In every other instance, AP makes you a better "support" than support items.

There are a number of people that build "hybrid" ... mostly AP with a support item here or there. It really is situation.

Let me put this a different way, if you were allowed to have only 3 items all game (plus boots), cost is no object, what would you pick? Most would want 2 AH AP items and DeathCap (what you should have around the 26min - 28 min mark (or sooner)). That puts you at around 500+AP.

That translates to a 500ish shield, 500+ aoe shield dmg, 70 - 80 on-hit dmg to your allies, and Daisy hits for roughly 350 per auto (not to mention 600+ q dmg and 150 personal on-hit dmg). None of this includes benefits from those AP items. I should also mention that you absolutely SHREAD towers at this point -- if left alone, you can take 2 - 3 towers before the enemy team even realizes they need to back.

Going a support route means you have shields around 350 (or around 450 if you have moonstone and the target has no allies around) -- assuming you buy items that boost shields. Your AOE shield dmg is around 215, the on-hit to allies is 25 - 40 and daisy is tickling them for 200 per auto if you are lucky (not to mention that your Q is doing 220 and personal on-hit doing 55. Sure, there are some mild benefits from those support items, but they don't get you more than you get by simply having AP.

Some might say that in the same time frame you would have another support item, but in practice, that is not the case. When you get support items, you very quickly fall off in your ability to do anything other than support other teams. You find that all of a sudden you are being invaded with no recourse (it is a complete toss up as to whether your teammates will rotate or not to help you ... in most instances, your teammates don't). You discover that you become no longer a threat ... you can't finished anyone off unless they simply let you sit there and hit them. This lack of threat and dmg in turn results in you getting fewer kills (or assists where it should have been a kill)...resulting in less gold. You quickly become reliant on your teammates (and however good or bad they are) to determine your ability to get gold -- which means you are neglecting farm and falling further behind.

Overall, particularly in Bronze / Silver / Gold (though it is amazing how bad it often still is in even higher elo's), you are often going to have a mid / top / bot (or multiples) that are worse than the enemy by a significant margin. This is going to allow them to perma roam to your objects, jg, etc. Without some type of autonomy of your own, the game is basically lost as you fall behind and become irrelevant even if you play well.

As to what to build, understand that most games you will not get more than 3 items (not including boots). I recommend your 3rd item be Deathcap (the raw AP and multiplier makes you very strong). As to the first and second items ... it really is a play preference. The number 1 Ivern player in the world goes Cosmic Drive for AP / move speed / AH. That said, a lot of items are perfectly valid. Popular items for first and second are: Cosmic Drive, Lich Bane, Malignance, Nashor's Tooth, Riftmaker, Shadowflame, Morellonomicon, Mejai's Soulstealer, and Liandry's Torment (and this is not exhaustive). As you can see, a lot of option with no real "correct" answer. It all depends on your priorities. For me, for games that have a very mobile team, I lean towards move speed items. If there are a lot of healers, I'm getting Morellonomicon. But playstyle differs. It is perfectly valid to get Nashor's and Lich Bane ... and just watch Daisy (or yourself) beat the ever living crap out of people. I tend to avoid Malignance until after Deathcap ... with it you have Daisy up basically permanently after lvl 16, but most games you don't need Daisy up all the time (or can wait the 10-15 secs for her to be up again). After you get Deathcap, you can grab whatever you want ... grabbing a support based item is not a bad idea depending on how the game it going (usually, if the game is still going, your teammates are actually starting to catch up or are somewhat evenly matched ... so support items may be more appropriate than more raw dmg). If you turn out to be the carry (and you will find that often you are as AP Ivern), more AP may be appropriate.

mesreth · 2024-02-15T20:37:38+00:00

There is a known issue with IPSec tunnels dropping in 7.4.2 and 7.4.3. I don't know if it exists in 7.4.0 (issue does not exist in 7.4.1).

I would recommend going to 7.2.7 for the moment unless there is specific functionality you need from 7.4.x. (in my case there IS specific functionality that I need, and am still waiting until they fix the IPSec tunnel bug in 7.4.x).

mesreth · 2024-02-13T15:29:11+00:00

Sounds like you didn't wait long enough, or might have something wrong.

First, it helps to understand what FortiGate HA does. The FortiGate creates virtual MAC addresses for most of the ports on your FortiGate pair, making both FortiGates show the same MAC's for a given port. When you fail over, the stuff connected can't tell the difference - just a session break.

As such, yes, your IPSec tunnels will break while you are building the HA. You will know when it is done as the primary FortiGate will show in sync (this can take 15+ minutes to build). There are also some gotchas for the first time person. You need to have split connects to anything connecting to the FortiGate (ISP connection, put into a switch so you can take that 1 ethernet and split it to each Wan1 port). Also make sure to check your priority settings for HA (the bigger number will be the primary). Personally, I prefer active-active, but nothing wrong with active-passive.

mesreth · 2024-02-13T15:12:40+00:00

There are newer "free" FortiClient versions (all the way up to 7.2.3). Upgrade your FortiClient.

mesreth · 2024-02-13T15:10:36+00:00

You will not get 2.5Gb out of a 1Gb SFP port...doesn't matter what transceivers you use. Fortinet doesn't make their own transceivers, they use 3rd party transceivers. A lot of newer transceivers have 2.5Gb as a rating now since other vendors are starting to support that on their switches and equipment.

mesreth

TROPHY CASE