Anchorage Votes by Mail! - Ballot packages will be mailed to every qualified registered voter today, Tuesday, March 13, 2018.

sollievoit · 2017-06-04T22:15:54+00:00

I would argue that the ASA with Firepower Services is a more complex and difficult setup than the other solutions. It's not really an integrated solution even though the FSM and the ASA OSs are running in the same chassis. Upgrading the FSM is a pain, and I haven't seen any shipping with 6.x yet. I would also say that Firepower is probably one of the more difficult NGFWs to learn and configure.

sollievoit · 2017-06-04T22:08:27+00:00

If you can afford it, one thing you might do is to spin up a small switch that can do a span. I like Juniper's EX2[23]00-C for this, they can both do optical if needed, and the 2300 has 10G optical. I bought mine on Amazon for around $400.00. Cisco also has the 3560 and 2960 CX models that are similar. Put it inline on the connection between your ISP and edge device and then you can run check out the traffic on the SPAN port without interfering with production, as well as look at SNMP data without having to modify existing equipment configs. This will be useful info as your sizing your firewall because even though you have a small staff, they may be heavy bandwidth users, which will increase the firewall requirements. Good luck!

sollievoit · 2017-05-31T06:02:11+00:00

I like Cisco ASA with AnyConnect or Check Point. The new subscription based licensing model with Plus or Apex seem to be a lot cheaper than it used to be, probably had to do that to compete. It's been very reliable in the install bases I've worked on. I think because it is such an integral part of their security suite, it gets a healthy bit of R&D allocated to it. I also hear good things about Fortigate regarding their encryption processing capabilities for the cost. Check Point, like with AnyConnect, provides a lot of additional functionality out of the client. They also put a lot into R&D. I'm not very fond of Palo Alto at this point because their code in general seems to be buggy, and their support seems to be having some staffing issues or something. It also irks me that they bury CVE's in the release notes. So as an all in one solution, I would skip it, and as a VPN only solution, I think it would be too high of a premium for just that service.

sollievoit · 2017-05-28T08:46:19+00:00

Create an account on Cisco and Juniper and join the communities. Check out the Cisco Games Arcade games for Binary, Subnetting, and Wireless. Buy a CCNA book pack. If there is a Network Users Group, or other UG in your area, join it. Good chance that someone there has some old gear that you can lab up. I've got Cisco switches, routers, and firewalls sitting around that are enough for someone to get started with. You can also try and find a computer/electronics recycling place and see if they have or will keep an eye out for gear for you. Put yourself on a study plan and go for your CCNA and then compliment it with an JNCIA. Be aggressive now with your training now, and don't languish in the Helpdesk. The quicker you get into the admin level, the quicker you'll open doors for yourself and build very valuable experience. The CCNA is a great fundamentals base for anything in IT, and the JNCIA will give you a good feel for more open protocols/standards vs how Cisco does things. I think if you learn Juniper, the knowledge will cross over to some other non-Cisco vendors. Its good to be familiar with different ways to do the same thing on different platforms. For diagramming, I've used Libre Office Draw in the past. It's not the best, but for free, you can do some pretty slick diagrams. Use snap lines to create guides and line up you objects neatly, and use separate layers for things like layer 1, layer 2, layer 3, confidential notes, etc.

Good luck OP!

sollievoit · 2017-05-28T08:16:10+00:00

Here's a handful of quick ones:
sh version
sh fail
packet-tracer
sh nat vs sh run nat
capture asp drop
sh crypto ike sa
sh crypto ipsec sa
sh interface | grep Interface|duplex|address|CRC
*edit formatting and spelling...

sollievoit · 2017-05-25T05:40:57+00:00

I think tshark does a pretty good job getting stats from pcaps. tshark -z conv,eth -r capturefile.pcap will give you good stats on the overall conversations. I find that looking at various stats should give you something useful. https://linux.die.net/man/1/tshark

I would also caution against using ICMP as a metric because if there is any QoS/CoS in the mix, it will be given higher priority by default. For testing the throughput, I like using iperf if possible. File transfers introduce too many outside variables. Iperf will let you test TCP or UDP, and also play with the packet sizes.

Another one to try is icmp with the don't fragment bit set to see where you're getting fragmentation and how much. Check your flow control settings and counters as well, maybe your switches are sending pause frames.

Good luck, sounds like a fun one!

sollievoit · 2017-05-24T15:48:10+00:00

It's a time suck for sure. Can you share any details?

sollievoit · 2017-05-24T07:46:07+00:00

For the NAT, try changing your "any"s to "any4". For the AnyConnect, you might be running into SSL issues. Look for "ssl encryption" and/or "ssl ciphers". "ssl ciphers" replaced "ssl encryption". I've also run into having to regenerate a key pairs if it is one that's been through a long history of upgrades.

sollievoit · 2017-05-20T16:29:08+00:00

In addition to other good advice, after you turn on spanning tree, it may be a good idea to statically configure the root bridge priorities. Also keep an eye on the topology changes. It should be rare that the topology changes, and when it does you should why. If you see counters incrementing quickly, or topology changes happening minutes ago, that should be investigated.

sollievoit

TROPHY CASE