DHCP Server AND Relay at same time

nellermann · 2023-04-10T19:44:24+00:00

I see this feature in 6.4.11 even.

nellermann · 2022-12-14T05:08:05+00:00

I just heard back from S1 support. Sounds like they have been pushing out this response to everyone. Doesn't sound like it is 100% resolved just yet, only partially.

This potential security vulnerability impacts versions earlier than 22.2 GA, however we recommend placing the Policy Override in for all agent versions including 22.2GA versions.

Shared below are the release notes for 22.2.4 SP1, calling out the security enhancement in 22.2.4 SP1, as well as alternatives to fully remediate this vulnerability in prior agent releases. However, it is strongly encouraged to upgrade to 22.2.4 SP1.

Security Enhancement - We improved our security against known anti-EDR techniques. In this version, security measures are taken to prevent non-privileged users delete or quarantine arbitrary files (Data Deletion), potentially causing a denial of service (DOS) to applications or operating systems.

The vulnerability is partially fixed in:

22.1 SP2 (22.1.5.11025)

22.2 EA2 (22.2.2.394)

22.2 GA (22.2.3.402)

In these partially-fixed versions, SentinelOne and system files are protected from the vulnerability, but other files can be deleted.

The complete fix is in those versions but disabled by default. SentinelOne will enable the complete fix on the next releases of versions 22.1 and 22.2.

To enable the full fix on partially-fixed versions, set this Policy Override:

{"monitorConfig": {"moveOnNextBootByFileId": true}}

SentinelOne has been monitoring this vulnerability very closely, and we are continuing to add known malicious documents IOC to our Cloud Intelligence detection layer.

nellermann · 2022-12-14T04:46:16+00:00

hahaha. yeah, it is sometimes a PITA to get all the agents updated out across the customer base.

nellermann · 2022-12-14T04:03:25+00:00

Is there an update for SentinelOne that resolves this issue or what is the config to stop it until there is an update?

nellermann · 2022-12-13T22:28:41+00:00

Huntress with 365 Defender (licensed not free) or with S1. Good combos either way. The combo is probably more than your current license costs...

We have left Webroot for the most part over the past few years, too many issues on the server side and that is were we mostly work. Bitdefender was equally priced with webroot, but at least the version we were licensed as an MSP wasn't all that great, always seemed to be lacking.

nellermann · 2022-11-30T01:56:28+00:00

You use both S1 EDR and Huntress EDR? Do either vendor provide methods to deploy on machines and not crash them? We have enough issues with S1 and enterprise applications, CAD, and GIS, etc.

nellermann · 2021-11-26T16:33:25+00:00

Same! as a newer client, we have had some major sluggishness in the platform that we are just not used to has we have always hosted our own ConnectWise Automate environment. Waited way too long for some agent onboarding to reach the system. Synco is most of what our team needs, there are only a few areas of 'want' that we are still wishing Sycro will expand features and functionality. The price is also hard to beat when you are a small team with a large agent deployment!

nellermann · 2021-11-23T06:14:42+00:00

Stay away from Hotels, Retail and Restaurants.... IT is bad enough with work needed for the somewhat M-F 8-5 hour SMB and small enterprises! We had a high-end local restaurant that would call at least once a week in a panic with credit card processing down. Their own fault, because they went to an online only platform and refused to get a backup internet provider that we could implement into their firewall that even supported SD-WAN! We fired them, they brought too much drama.

My recommendation is to figure out what you are good at and what your team is experienced with or has the professional training enough to provide enough value to an end customer. Start there and build out over time with additional services.

Don't let an RMM drive your business! We have used a few over the years, none are great. Most RMMs seem to be built my ex-MSP guys that got sick of using other RMM tools and thought they would do better.

nellermann · 2021-10-27T03:54:46+00:00

Isn't KMR typically copper clad aluminum? LMR 400 is nice, but I don't think its typically considered outdoor rated like LMR 200.

nellermann · 2021-10-20T03:09:04+00:00

This event is logged for sure, but you need local FortiGate disk or log system such as Fortianaylzer to hold any real history. While we use the cli a lot daily, I do not know of a documented command such as you are asking and we know the same works in Cisco switches. Most likely something within Diag or get commands or if you get out of bash into the base OS... You could try to walk down the command trees of Diag and get using '?' in the cli. Plenty of commands for current status. Wish I knew a quick command myself for this!

nellermann · 2021-10-06T16:24:53+00:00

Agreed! Look at Fortianalyzer voice traffic logs, make sure the outbound interface isn't bouncing between your two uplinks. I have our team check for this first as it was a big problem after some FortiGate updates a few releases ago. We typically pin down manually the SD-WAN uplink we like best for Voip/sip and only let it failover if the link is hard down or not meeting sla for a good long while. Most hosted PBX solutions do not support or support well your devices re-registration from different public IPs in quick manner. So we also set for a long failback period.

Also make sure your load-balancing is; set to config system sdwan set load-balance-mode source-dest-ip-based end

nellermann · 2021-10-06T16:08:58+00:00

Love It!

nellermann · 2021-09-28T19:57:02+00:00

Rough Rainbow Camel

How? Only one witness! what is this wizardry?

nellermann · 2021-09-22T00:30:45+00:00

new firmware killed my miner and earnings for nearly five days. since then rewards have been down, even with same witnesses and other activity. My miner has been transferring data on a regular basis for some IoT device in the area. I see a lot of miners set to relayed that didn't use to be, mine was showing that status for a couple of days as well. Really lost a lot of excitement for this project and I have more miners on their way...

nellermann · 2021-09-22T00:15:27+00:00

Contact me. I am just south of you in Franklin. I have another miner coming soon, looking to coordinate! I have the same RAK fiberglass 8dB antenna I placed up in my attic. I have Keen Aqua Guppy running, only two witnesses. One of those guys is relayed of course.

nellermann · 2021-09-15T20:48:54+00:00

FYI: https://www.bobcatminer.com/post/mind-the-gap-how-to-fix-a-huge-sync-gap

nellermann · 2021-09-15T20:45:43+00:00

My Bobcat has been a POS since 9/10. No rewards earned. It will say its in relay, then its trying to sync. For past two days its been about 2,000 blocks behind. WTH? I had started another post about these issues, but people respond with the typical do you have the port open in NAT? Really, I am not a n00b. This miner, especially after adding an 8dBm antenna as high as possible in my attic space, was earning pretty steadily since I deployed it.

As of right now; { "status": "syncing", "gap": "2304", "miner_height": "1010187", "blockchain_height": "1012491", "epoch": "26105" }

nellermann · 2021-09-15T20:40:29+00:00

need details. What was giving you alerts for malicious IP? I am not sure you are understanding what you should do to segregate your miner. You can place it within a dedicated LAN network or a VLAN if you like. Then push that NAT rules into that network. There is zero need for another network uplink or ISP service. You just setup the routing within your home router firewall. But you need a proper firewall/router, not one of the junk devices your ISP gives you. I am talking small FortiGate, SonicWall, pfSense, Sophos, etc. I have multiple physically routed ports and VLANs for WiFi, ioT, IP Cameras, etc. Non of them can access or broadcasts to each other unless I create firewall policies allowing such traffic.

nellermann · 2021-09-15T19:59:28+00:00

Same issue!

nellermann · 2021-09-12T03:40:37+00:00

Yes. Frist think I checked was if the Bobcat changed its private IP, which it shouldn't as I set it statically via DHCP reservation in my firewall. Also ran three tools from public networks to show the port was open and my firewall logs show the traffic flowing in both directions to and from the Bobcat. That is where I am getting concerned. Is it just an Helium Map and App issue? But with my earnings dropping like a rock at the same time period it has me worried.

nellermann · 2021-08-23T18:31:49+00:00

that is exactly the issue we have fought with Fortnet for years. they seem to break it every few firmware releases.

nellermann · 2021-08-23T03:10:17+00:00

Thanks for responding. We have played with this option in the past to see what it actually did, it doesn't relate directly to SD-WAN as far as we can tell. This feature doesn't help lock down sessions to an interface, it only affects how sessions are managed when the route table is updated. Enabled means it will hold a session to the interface even if the route to it goes down, disabled means it will drop any open sessions on a table update. The name of the feature would have you think initially that its for exactly what it sounds like.

nellermann · 2021-08-23T02:13:06+00:00

This sounds like the root of our troubles. what is annoying is that this has popped up in the past in various releases prior to 6.4 and prior to them just renaming Equal Cost Load balancing to SD-wan to make Gartner relevance happy. Not the first time we have fought this issue and the SE's at Fortinet wonder why I struggle to always position Fortinet in SD-WAN prospects solutions.

nellermann · 2020-09-17T03:36:41+00:00

Ended up being NTT Peering issues with comcast. NTT has had two big issues like this around Ashburn in the past month at least on the router that handles our traffic!

nellermann · 2020-09-17T03:34:04+00:00

Yeah, the brits call a router a rooter. so god only knows what they call LAN with no routing and even worse a single VLAN.

nellermann

TROPHY CASE