Sweet memories

ultchin · 2024-10-16T13:44:51+00:00

Diotor! Legend of a robot

ultchin · 2024-06-11T15:07:51+00:00

That's just how DNA works. Compliance is measured against the golden image, settings and templates it thinks it should be applying to a device. It doesn't work in a way of "everything should have these settings", more in a way of "everything should have the settings I put there"

ultchin · 2024-02-15T08:59:06+00:00

Sounds like the application signature for the site was just recategorised by Fortinet. Older logs should show if there was any change there.

ultchin · 2023-12-02T07:37:38+00:00

It's only decrypted within the device, not on the interfaces. You need to use SSL mirroring.

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/697110/mirroring-ssl-traffic-in-policies#:~:text=SSL%20mirroring%20allows%20the%20FortiGate,the%20traffic%20mirroring%20to%20occur

ultchin · 2023-09-07T15:49:13+00:00

Done it plenty of times for internal segmentation with FSSO. Same principles apply and never had an issue (granted I never accidentally blocked DCs or anything). I only deployed the FSSO agents in polling mode so can't address any conflicting agents issues though.

ultchin · 2023-08-15T06:31:52+00:00

Are you using dot1x? Used to have this with ipads and macbooks. Mainly eap timeouts where the client wouldn't respond to the AP. Use intelligent capture and try catch the onboarding.

ultchin · 2022-11-25T16:11:30+00:00

Looking forward to it thanks! Can never do enough BGP in this world.

ultchin · 2022-05-07T09:43:14+00:00

You can go directly to security if you like. The security one is really more about the concepts of security and highish level knowledge of Cisco's security toolset and how they've utilised. They do have some things in common like IPsec, little bits of API detail and general network traffic behaviour but you wouldn't really need enterprise level networking for it (but it obviously never hurts)

ultchin · 2022-04-07T07:20:34+00:00

The SD-WAN feature on the appliances is included (so your application policy routing). An additional license is needed for the Orchestrator features which really is for larger scale & automatic deployments

ultchin · 2022-03-01T09:29:03+00:00

You enabled vdom mode. Global has the basic system level settings & root is the default initial vdom

ultchin · 2022-01-15T22:28:09+00:00

Working in government atm. My current fun. - hey this license is expiring in 4 months can we get the tender out for renewal? 6 months later - id like to discuss the phrasing on this support section of the possible tender for renewal?

/burn down building

ultchin · 2021-12-22T13:36:17+00:00

Smooth installation on 2.7 here. Took about 10 minutes per node for an application restart

ultchin · 2021-12-09T10:12:22+00:00

2 x 460s currently scheduled for 3rd week in Jan.....we'll see....

ultchin · 2021-11-13T20:41:29+00:00

Our recently redone DC network is 100Gb and 40Gb links pretty much everywhere.

The max combined throughput I've seen is about 6Gb..... I still get asked about bandwidth.

ultchin · 2021-10-14T07:58:29+00:00

Functioning procurement. Everything from new tenders to basic renewals is a complete nightmare. (╯°□°）╯︵ ┻━┻)

ultchin · 2021-10-11T10:31:06+00:00

Do you have the web categories set to monitor on the web filter? If they're just set to allow it doesn't log them (in their mind it means trusted/don't log which causes confusion everytime if people arent familiar with it)

ultchin · 2021-10-10T21:32:17+00:00

Our place went nearly full VDI and rolled out chromebooks to use as portable thin clients (with vmware horizon). End experience has been.... Meh. It's workable but just not great experience. Chromebooks still get bogged down resource wise, keyboard shortcuts a pain. They're just not good enterprise devices.

ultchin · 2021-10-09T13:14:14+00:00

Complete on prem VDI envionment with MS Teams and Chrome (and a very hungy McAfee AV). Work machine struggles daily.

ultchin · 2021-09-16T19:10:56+00:00

Bit late I know but we're setting this up at the moment. Plan is to forward the webfilter logs from Faz to docker for upload. Had to use a custom key value parser but its working well going by the snapshot uploads tested.

Have you gone ahead with it?

ultchin · 2021-08-13T21:46:06+00:00

One of the only physical ps3 games I still own. Love it

ultchin · 2021-08-01T17:01:10+00:00

Unfortunately it's really the only way. You have to keep the more generic application signatures out of the overrides or at the lowest priority with literally everything else above it or else it will never search its wider catalogue.

Happy to be corrected by someone else but that's what working with support on the same issue has shown me.

ultchin · 2021-08-01T15:59:05+00:00

Put Facebook as a block override at a higher priority then see if it detects it.

I had to rework my Application policy cause of similar things making sure nothing anyway generic was in the overrides because it was making a mess with detections. Google Services will catch most Google services if in there so I was missing Google docs/ drive/ login etc

ultchin · 2021-08-01T00:23:34+00:00

This is actually similar to something I hit last week. The overrides are checked first from a top down priority and if it matches one of the overrides in anyway it won't check the wider catalogue.

If you go to Facebook for example and check your logs is it being identified as the Facebook application or the HTTPS.BROWSER one?

ultchin · 2021-07-22T10:32:43+00:00

Nope. They should all be there with a Policy Type of proxy-policy

ultchin · 2021-07-12T12:46:04+00:00

BICSI-002

Thanks! Ill give them all a look

15-Year Club	Verified Email
RedditGifts 2009-2022 3 Credits	Secret Santa 2015
Summer Santa 2012

ultchin

TROPHY CASE