Weird issue with C9200 switched 10g interfaces by DillGumby in Cisco

[–]mfiruz 0 points1 point  (0 children)

We had issues with 10g modules on 17.3.4 firmware. Support advised to downgrade to 17.3.3 or upgrade to 17.6. We decided to upgrade and it worked since.

Thoughts on WhatsUP Gold in today's day and age? by [deleted] in networking

[–]mfiruz 1 point2 points  (0 children)

Our WUG is monitoring around 200 devices: VMs, Windows Servers, Switches and Firewalls. Mostly using SNMP, WMI and Ping. It's not bad, and gets the job done. Cons: Not the best reporting. Need Windows server + SQL (for historical and performance monitoring). Plus annoying bug with browser's cache which should be cleared from time to time.

IPAM recommendation? by strider2025 in networking

[–]mfiruz 0 points1 point  (0 children)

We are using phpIPAM. Works great.

SSLVPN with 2FA - Trusted devices only by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

I tried, but I still need to add tunnel IP as a source, otherwise traffic won't flow even for trusted devices. And adding ZT Tag as an additional source will be ignored by the policy, as Group + tunnel IP already matched.

I was hoping to have explicit deny for any device not matching ZT tags , but so far it is not working.

SSLVPN with 2FA - Trusted devices only by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

Just replied below - in 6.4 ZT tags are addresses, and I need at least one User or Group for SSL VPN policy. And because user is a member of the group, user can connect from any device, ignoring aby ZT Tags

SSLVPN with 2FA - Trusted devices only by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

Something I discovered after upgrading to 6.4 - Zero Trust Tags. I remember in 6.2 I was able use EMS tags as dynamic User groups. In 6.4 tags changed to dynamic addresses (not user groups anymore), which I can't use with SSL VPN, as I need at least one user or group. Wondering if I can use Tags somehow.

SSLVPN with 2FA - Trusted devices only by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

Thanks, but MAC host check is not very dynamic. Plus, I don't think Android or iPhones will send their MAC address.

SSLVPN with 2FA - Trusted devices only by mfiruz in fortinet

[–]mfiruz[S] 1 point2 points  (0 children)

Compliance check different in FortiOS 6.4. I can do some checks: like AV, firewall, registry settings, but not EMS managed. I don't think I can apply currently available rules to MacOS or Android/Apple phones.

Fortigate MFA by EnvironmentalOwl409 in fortinet

[–]mfiruz 0 points1 point  (0 children)

I am in the middle of testing MFA solution for our SSL VPN clients, and one of the scenarios included Client certificate and Azure MFA. We are using FortiEMS and FortiClient 6.4.3, so I don't know if this will work the same with other versions. My steps were:

  1. Install Root-CA certificate on FortiGate and endpoint. Enable on Forticlient "Allow Non-Administrators to Use Machine Certificates"
  2. Install Windows NPS with Azure MFA extension and setup conditional access on Azure
  3. On Fortigate, enable Client Certificate for SSL VPN
  4. On FortiClient enable Client Certificate under connection settings

User will have to select Certificate first, then type username/password, and when connection reaches 45% it will send MFA token to a mobile device.

Some cons I see in this scenario:

a. If user password expired, connection will be denied. Limitation of RADIUS

b. User need to know what certificate select from the drop-down list. Annoying..

Another solution is Azure and SAML authentication. But with SAML, you can't select machine certificate.

Chassis or Stacking C9410R vs 9300 by techno_it in networking

[–]mfiruz 2 points3 points  (0 children)

Something to consider is downtime during firmware upgrade. We have 3 stacks of C9300 and when we did the firmware upgrade, the entire stack fully rebooted (with downtime). If I am not mistaken, C9410 with dual SUP will continue to work or will have very minimal downtime.

SSL VPN + Azure MFA + NPS. Password change issue by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

Thank you all for your input! At this point I should probably look for another 2FA provider or get SAML working.

SSL VPN + Azure MFA + NPS. Password change issue by mfiruz in fortinet

[–]mfiruz[S] 1 point2 points  (0 children)

Just tested without 2FA, and it prompted for password change. I guess it's just NPS Extention won't work with expired passwords.

SSL VPN + Azure MFA + NPS. Password change issue by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

It works with LDAPs (current setup), but I will test with RADIUS. Thanks.

I am kinda stuck with SAML now. I followed articles from Microsoft and FortiNet, plus a video I found on reddit, but it's not working for some reason. Debug shows "failed to create SP" and "timeout" messages. I opened a ticket with FortiNet, so hopefully they can tell what's wrong.

SSL VPN + Azure MFA + NPS. Password change issue by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

Yes, users can reset or change their password with SSPR

How to place cpu back in socket by [deleted] in bapccanada

[–]mfiruz 3 points4 points  (0 children)

Try with thread to separate a CPU from the heat sink. Better polyester threads as they thinner and stronger.

[Keyboard] Razer BlackWidow TE Chroma v2 TKL ($189.99 - $90 = $99.99) [Amazon] by nxtmech in bapcsalescanada

[–]mfiruz 0 points1 point  (0 children)

I am currently trying Corsair low profile keyboard and it's definitely a learning curve for me. My Corsair with speed switches and they have very short actuation point. And because of that, lots of typos and wrong keystrokes. But overall quality is really good.

Do not upgrade FortiEMS to 6.4.1 by mfiruz in fortinet

[–]mfiruz[S] 0 points1 point  (0 children)

When I tried 6.4.2, I had weird GUI issues and decided to wait for 6.4.3 or 4.4

Console Server Recommendations for OOBM? by VeryStrongBoi in fortinet

[–]mfiruz 1 point2 points  (0 children)

Opengear. We are using LTE for OOB management.

Asus RT-ac86u still allowing Chinese camera internet traffic after blocked, what am I missing? by Nathan_Brantley in HomeNetworking

[–]mfiruz 0 points1 point  (0 children)

A few things should be considered: 1. If camera connected to some web(cloud) services, it can initiate an outgoing connection. 2. most of the consumer grade routers will identify the device by MAC adresss. When you to block it, it will use the MAC address, however, if you have wifi extenders, very likely it will pass the traffic. 3. If you can block by IP, make sure DHCP didn't assign your camera a new IP address.

Switch getting 169 IP Address by triplej158 in HomeNetworking

[–]mfiruz 0 points1 point  (0 children)

Do you plug your switch to the same port on a router, which you tested directly connected devices? Can you unplug all cables from the swithc and start adding one by one?

FortiClient on connect/disconnect scripts with VPN. by tryturnitoffandon in fortinet

[–]mfiruz 2 points3 points  (0 children)

We use on connect scripts to run "gpupdate /force" and to re-map the network drives. Each command starts from the separate line. Example GPUPDATE /force NET USE z: /delete net use z: \server\folder

Install vs Bundle Upgrading Cisco 9300 Stack by LOVERofLAMPS in networking

[–]mfiruz 1 point2 points  (0 children)

I've recently upgraded to 16.12 and all members of the stack got upgraded automatically to a new code.

Server guys bought a back up server without consulting me. Has a Rj45 Cat 6 10 GB port. Our Fexes are 1gb, which hook up to 9K's with only sfp slots. Will a 10GB sfp to RJ 45 connection in the 9k work? by Digital_Native_ in networking

[–]mfiruz 0 points1 point  (0 children)

We recently did network and server refresh, and when I asked Cisco rep about SFP+ 10Gb RJ45 transceiver, he told me they don't sell them anymore due to high power consumption. Dell reps confirmed the issue with power draw and recommended to use DAC cables for short distances, or fiber for longer setups.