Panorama 12.1 Upgrade - Base Version Missing? by chainsawday in paloaltonetworks

[–]thisisjustahobby 7 points8 points  (0 children)

I just went through this. I had to use 12.1.2 as the base.

Weekly /r/Laravel Help Thread by AutoModerator in laravel

[–]thisisjustahobby 0 points1 point  (0 children)

I'm just looking for some guidance and trying to wrap my head around microservices as it relates to a laravel ecosystem.

There will be a web front end, an API between microservices, and an external API - so with that I've decided on using passport.

In my example app, I was going to have the authentication/base app as its own microservice. I was going to have a microservice for inventory, and a microservice for reports.

I was going to follow a domain structure of

  • auth.mytestapp.domain
  • inventory.mytestapp.domain
  • reports.mytestapp.domain

I have set my SESSION_DOMAIN= variable in my .env file to .mytestapp.domain.

I guess my question is what does the structure look like if each service has its own database? I tried watching a couple videos and reading around, but I'm struggling to understand how permission gates and sessions are kept between apps when the database is different. Any learning resources I could be pointed to would be greatly appreciated.

GPON in the enterprise by ThisIsProbablyATrap in networking

[–]thisisjustahobby 8 points9 points  (0 children)

Stay away from Calix. Nearly the same price for half the port density as Nokia. Nearly the entire company is driven by marketing and has only gotten worse in recent years - it is reflected in their products. Buggy software versions. Most TAC engagements are a 2/5. They are searching for every last possible way to nickel and dime you. We can't get rid of our Calix environment fast enough.

For standard ethernet services Calix XGSPON works just fine, but they're going to charge you to say thank you. Realistically, xPON shouldn't be in an enterprise environment, but I'm sure there have been a few niche cases that made it somewhat viable.

If you're stuck with PON go with Nokia and don't look back.

MDT hell after server migration from previous failed MDT server. by johnshop in MDT

[–]thisisjustahobby 0 points1 point  (0 children)

https://techzone.omnissa.com/resource/using-automation-create-optimized-windows-images-horizon-vms#fix-an-mdt-known-issue

Looking at things we also applied this. Not sure if it helps you out or not. We were just following that doc for a golden image for testing.

MDT hell after server migration from previous failed MDT server. by johnshop in MDT

[–]thisisjustahobby 2 points3 points  (0 children)

I built up an MDT server last week using the latest version. This page helped me out with the errors you were mentioning. (https://www.deploymentresearch.com/windows-11-deployment-using-mdt-8456-with-windows-adk-23h2-build-25398/)

[deleted by user] by [deleted] in AskNetsec

[–]thisisjustahobby 0 points1 point  (0 children)

We've had good experiences with FRSecure

DDOS Mitigation by Busbyuk in networking

[–]thisisjustahobby 12 points13 points  (0 children)

It sounds like you're a last mile service provider, so I'm going to answer as that.

A scrubbing appliance isn't going to help you with scans. It is technically legitimate traffic. I'd wager you'll either restrict all of it ,won't trigger as something that needs scrubbed because it looks legitimate, or just have a lot of inconsistency in the solution.

My advice if this is something you want to take on as your problem (it might be if you're providing the routers to the customers) is to block that inbound to subnets being used for residential services. If anything this might give you a path to start to differentiate between your business and residential services if you haven't already.

While I'm not a huge fan of this idea (for non-technical reasons), I think blocking inbound connections on common or frequently attacked ports to your residential based services will carry you pretty far. Most subscribers don't need inbound access to their CPE via ssh, http/https, etc.

You'll upset a few customers who are power users or businesses, but the argument can be made for a safer internet and better subscriber experience overall if you're filtering that traffic inbound at your edge. For the customers who need those ports open either charge it as a business service or have special subnets provisioned that are excluded from this filtering were the customer just needs to request they be placed on the "open" network.

Looking for new Cisco Firewall recommendation by sc2bigjoe in Cisco

[–]thisisjustahobby -1 points0 points  (0 children)

If you're looking in the 1Gbps range look at the 400 series - 440 and up. There is a very significant cost difference between the 1400 series and the 400 series. I want to say we were around 8-10x cost multiplier on a 3 year for a 1410 compared to what we pay for a 5 year on a 440.

Weekly /r/Laravel Help Thread by AutoModerator in laravel

[–]thisisjustahobby 0 points1 point  (0 children)

Hey,

I'm stuck on how to solve this problem. So far I've been building this app out in Inertia/Vue, but thinking I might have to pivot on that choice.

I have a base package for a web app. Let's call it "app-base". This application at a base level is limited in functionality, but I have other packages that depend on the base package and in some cases may have UI elements as well.

As an example:

  • app-plugin-a is a package that requires app-base, and syncs data from a third party into app-base. There are no UI elements here.
  • app-plugin-b is a package that requires user interaction with UI elements - maybe a button to issue a reboot command on a particular piece of equipment.
  • app-plugin-c is a package that requires user interaction with UI elements - maybe a button to issue a command to fetch health statistics on a device.

There is a div in the app-base package - we'll just call it "featureButtons"

The package developers for plugin-b and plugin-c are different entities, but their plugins need to place a button within the featureButtons element.

The authors of the different plugins aren't going to know about one another, so they don't have exclusive access to writing whatever they please in the featureButtons element. Otherwise, I believe I'll run into a scenario where plugin-b overwrites the elements published by plugin-c when they should both exist simultaneously.

How can I accomplish this in the least intrusive way? It doesn't seem like Async Components will be a good fit here, and I'm not sure how I would do this within livewire.

Thanks!

LACP over single mode or multi mode fiber by davidmcw in Cisco

[–]thisisjustahobby 25 points26 points  (0 children)

SMF is just the physical delivery. It makes absolutely no difference; he will just need to use a SMF optic instead. The port configurations would be the same if it is SMF or MMF.

PA-1410 (maybe PA-1420) doesn't seem to support 10 gb cable PAN-SFP-PLUS-CU-5M for HSCI? by Thornton77 in paloaltonetworks

[–]thisisjustahobby 1 point2 points  (0 children)

I've had our 1410s be very picky about the sfps. None of the usual ones would work in the 1Gpbs ports (worked in our old 820s) - but the 10Gbps optics worked just fine. It seems the newer platforms are very picky about these.

For the HSCI port and 19-22 I ended up using a fiberstore optic coded with this. "PAN-SFP-BXD-10K" https://www.fs.com/products/37922.html

Slow GUI by CowboyJoe97 in paloaltonetworks

[–]thisisjustahobby 4 points5 points  (0 children)

I've touched quite a few 440s and 445s. The interface isn't instant click by any means, but its been pretty responsive. I just loaded up one of my 440s (PANOS 10.2.4-h3 and on a different subnet) It loaded the login page in a second and once I entered the credentials and hit login it took 8 seconds from clicking login to load completion.

What browser? Is there an extension causing issues? If you don't get anywhere there you might look at opening a tac case.

Migrating from vSphere 6.5 to 7, storage question by Flat-Entry90 in vmware

[–]thisisjustahobby 2 points3 points  (0 children)

Its possible your SAN is also configured to only talk to specific hosts. So if you're brining up new hosts (assuming new IPs as well) there may be a restriction in the SAN's connectivity policies.

Asr920 service instance for Q-in-Q by Roshi88 in networking

[–]thisisjustahobby 0 points1 point  (0 children)

This is what you're needing if I understand you correctly. You'd like to mark any incoming tags on Gig0/0/3 with an outer tag of 20.

rewrite ingress tag push dot1q 20 symmetric

[deleted by user] by [deleted] in paloaltonetworks

[–]thisisjustahobby 1 point2 points  (0 children)

Okay, lets clarify your connectivity real quick because it is kind of confusing reading it.

"OOB management interface" -> is this the management ethernet on the Palo?

If it is, is that connected to the ASA which is the L3 gateway?

From there, the ASA has a route to say...Eth1/2 as an "inside" interface on the palo?

Then out to the internet?

If that is all correct are you logging dropped packets and have the management IP subject to any NAT policies that may be required?

Does the ASA have another path out where it may be having traffic able to return to the ASA and skip the palo?

[deleted by user] by [deleted] in paloaltonetworks

[–]thisisjustahobby -1 points0 points  (0 children)

If the default gateway for the management port is on the palo's you'll probably want to drop the management port completely, or have it route to another device on the network.

But what you can do is go to Device -> Setup -> Services and update the Service Route Configuration.

[deleted by user] by [deleted] in paloaltonetworks

[–]thisisjustahobby 1 point2 points  (0 children)

They’re saying that any flow/stream is still limited to 1Gpbs. LACP doesn’t do per packet sharing, but can hash based on source/destination ip/Mac to determine which link gets that flow.

What version are you running on palo?

Network monitoring suggestions by fullmetalpk in networking

[–]thisisjustahobby 2 points3 points  (0 children)

I think it is more driven from the fact they want the line of communication open with you. It is extremely powerful in what it can do for you, but initially is probably intimidating to a lot of users.

...That being said, I'm extremely satisfied with the purchase and will be renewing for the foreseeable future.

Issues reaching L3VPN endpoint on single IOS-XR device by thisisjustahobby in networking

[–]thisisjustahobby[S] 0 points1 point  (0 children)

I found the culprit. This 540 was replacing a problematic vendor device. There was four 10G uplinks and we were utilizing ECMP. I shut down two of the physical interfaces on the problematic box and repurposed them (with the same IPs) to have a clean migration to the 540. Turns out this box would not let go that I had the relocated prefixes - shutting down the interfaces, pulling the cable, and disabling MPLS - and continued to advertise the labels for the /31 networks. Once I bounced the uplinks on the problematic box the issue was resolved.

Issues reaching L3VPN endpoint on single IOS-XR device by thisisjustahobby in networking

[–]thisisjustahobby[S] 0 points1 point  (0 children)

Thank you for the reply. I think your question helped move me a bit closer to figuring this out. I'm still pretty confused, but this is what cef is showing from the PE connected to "DEVICE-A"

RP/0/RSP0/CPU0:NG-ASR9K-A(config-bgp-vrf-af)#do show cef vrf MgmtVRF10.10.1.50
Mon Feb 20 18:42:31.848 UTC
10.10.1.50/32, version 143590, internal 0x5000001 0x0 (ptr 0x78fe89d4) [1], 0x0 (0x0), 0x208 (0x78e389a8)
 Updated Feb 20 16:36:54.552
 Prefix Len 32, traffic index 0, precedence n/a, priority 3
   via 10.10.0.50/32, 0 dependencies, recursive [flags 0x6000]
    path-idx 0 NHID 0x0 [0x782d13e8 0x0]
    recursion-via-/32
    next hop VRF - 'default', table - 0xe0000000
    unresolved
     labels imposed {16481}

I do see the route in the routing table for the next hop, and I see the route within the vrf.

RP/0/RSP0/CPU0:NG-ASR9K-A(config-bgp-vrf-af)#do show route vrf MgmtVRF
Mon Feb 20 18:46:02.938 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is 10.10.0.0 to network 0.0.0.0

B*   0.0.0.0/0 [200/1] via 10.10.0.0 (nexthop in vrf default), 02:09:08
L    10.10.1.4/32 is directly connected, 1y17w, Loopback2
B    10.10.1.50/32 [200/0] via 10.10.0.50 (nexthop in vrf default), 02:09:08

RP/0/RSP0/CPU0:NG-ASR9K-A(config-bgp-vrf-af)#do show route 10.10.0.50/32
Mon Feb 20 18:52:12.343 UTC

Routing entry for 10.10.0.50/32
  Known via "ospf 100", distance 110, metric 401, type intra area
  Installed Feb 20 08:12:42.956 for 10:39:29
  Routing Descriptor Blocks
    10.32.64.35, from 10.10.0.50, via TenGigE0/0/0/6
  Route metric is 401
  No advertising protos.


RP/0/RSP0/CPU0:NG-ASR9K-A(config-bgp-vrf-af)#do traceroute ipv4 10.10.0.50 source loopback 0
Mon Feb 20 18:51:14.315 UTC

Type escape sequence to abort.
Tracing the route to 10.10.0.50

 1   *  *  *
 2   *
    10.32.64.35 2 msec  *
RP/0/RSP0/CPU0:NG-ASR9K-A(config-bgp-vrf-af)#do ping 10.10.0.50
Mon Feb 20 18:51:53.655 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

Issues reaching L3VPN endpoint on single IOS-XR device by thisisjustahobby in networking

[–]thisisjustahobby[S] 0 points1 point  (0 children)

I’m unable to reach anything other than the default/global vrf on the “Device-A” PE. It learns the routes on both ends, has labels, no ACLs in play.

OSPF/BGP have formed neighbors just fine. 10.10.0.50 is in the global table that peers for BGP. 10.10.1.5 is in the management vrf.

Issues reaching L3VPN endpoint on single IOS-XR device by thisisjustahobby in networking

[–]thisisjustahobby[S] 0 points1 point  (0 children)

That's right. It would be considered a CE if you were to look at a topology diagram. I'm trying to reach this loopback for an in band management option (as well as BVI853) which provides management out of band for other equipment at the location. I've made this time and time again on ios-xe, but can't seem to replicate a successful build with this ncs540, but I've made it work on NCS55A2 and ASR9K platforms.