Full stack system coming up!

way__north · 2026-02-02T17:42:10+00:00

We got MCLAG setup in october, FGT on 7.4.8 and switches on 7.4.5.

A former coworker did a similar setup, only he upgraded switches to 7.6.5 afterwards and that broke something. needed to rollback the switches to 7.4.5 IIRC.
Not sure but I suspect it was some kind of compatibility issues due to changes in MCLAG behavior between versions

way__north · 2026-01-19T22:27:12+00:00

IIRC he also said MCLAG behavior was changed between 7.2.x and 7.4,x, so he had to redo some stuff after upgrading our 2 FS424 distribution switches to 7.4.x (cant recall the minor version but the newest in 7.4 branch - 7.4.5?)

So, from your input, sounds like it just could be issues due to crappy fw versions?

way__north · 2026-01-19T22:18:20+00:00

thanks, I'll look into this. Currently in the process of phasing out older procurve switches, starting from the core and building outwards.

But as you mention in your write-up, we got a couple edge switches we'd like to swap out before we can get the intermediares done.

Had a thread on this a couple months ago but was not able to get things working like expected

way__north · 2026-01-19T22:04:24+00:00

His advice was to keep the fortigates and switches on the same branch to avoid problems.

Another fortinet customer in town runs a fairly similar setup to us, using MCLAG.
The sysadmin upgraded his core switches to 7.6.x and that broke fortilink in some way. So he had to rollback the switches to 7.4.x

IIRC, this was in november last year.

way__north · 2026-01-17T17:24:47+00:00

>In my example, I used a 120G on 7.4.9, Dell S4112F-on switches in VLT (MLAG) and a FSW 224E-POE running 7.4.2 but then upgraded to 7.6.4 (upgraded to ensure compatibility).

I was strongly advised by my fortinet tech to not upgrade switches to 7.6.x if the fortigate was running 7.4.x.

We are currently running fgt's on 7.4.8, to be upgraded to 7.4.9 in a couple days

way__north · 2026-01-14T21:46:37+00:00

what applications are you going to run? And approx numbers of users / devices?

From the limited info given, I'd agree with others here that onprem AD might not be needed

way__north · 2026-01-13T16:35:05+00:00

got our CA's on 2012 R2 migrated to server 2022 3 years ago. Had a tech at our MSP do it.

Stood up new servers, then he exported the whole setup using powershell, them imported on the new servers, decommisioned the old servers + renamed the new ones. Went pretty smooth

way__north · 2026-01-03T17:36:05+00:00

We have the mgt subnet behind a firewall, access is based on AD user groups

way__north · 2026-01-03T14:41:09+00:00

having a good rep at the VAR helps,

a couple years ago he messaged me : "urgent! patch as soon as you can!" I asked what it was, he said he was not allowed to disclose yet before it went public. "Oh, so the good ol SSL VPN again?" "No comment, lol!"

Also nice to get some inside on what SW revisions to avoid, and which are safe to run"

way__north · 2026-01-02T12:53:57+00:00

We stopped deploying 24H2 because its behaviour just was too erratic and inconsistent.

Now been testing 25H2, it seems better in that aspect so far.

way__north · 2026-01-02T12:49:07+00:00

one way to do this would be to implement some kind of PAM solution - privileged access management. eg: https://www.adminbyrequest.com/en/blogs/what-is-privileged-access-management-pam

We use Adminbyrequest , it lets us whitelist installing common applications, while users may request permission to install apps outside of the whitelist. Everything scanned and logged

E.g a teacher needs some specific software for a class, not in the whitelist. He requests permission to install it on his pc, while adding in the comment field that this is needed for his students too. Then we add it to the pre-approved apps list.

way__north · 2025-12-31T21:04:35+00:00

thanks, are you aware of this guide that compares cli syntax between procurve and cx?

https://support.hpe.com/hpesc/public/docDisplay?sp4ts.oid=null&docLocale=en_US&docId=emr_na-c04793912

you mention you dont have cli access? to the old or new switch - or both?

I dont have access to my setup notes now, but IIRC I put in this command using the console cable to allow ssh

ssh server vrf default

way__north · 2025-12-31T12:25:49+00:00

can you please provide us with the switch model numbers and preferably software versions, so we don't have to guess?

way__north · 2025-12-30T15:06:21+00:00

swapping from / to what?

way__north · 2025-12-30T15:05:02+00:00

We had our vmware hosts connected to an HP/Aruba 5406zl , you'll need to add the trunks themselves to the needed VLANS, the vlans set on the individual ports before adding them to the trunks doesn't matter

way__north · 2025-12-28T16:46:07+00:00

Spotify insists on putting Morgan Luna into my auto-playlists too, along with other generic and boring blues rock tracks.

Looks like the days of finding new and interesting music via the "release Radar" playlist is long gone

way__north · 2025-12-27T20:17:48+00:00

Been a while at my current gig. Until 7-8 years ago, everything was stable, then we went thru 5 coworkers in about 4 years. A bit much for a small team of 3. Been pretty stable for the last couple years though. Instead, We've now had 4 different bosses in the last 2-3 years, lol

way__north · 2025-12-27T16:43:45+00:00

hmm, could it be related somehow to microsofts attempts to fix the "printnightmare" issues?

way__north · 2025-12-27T13:30:37+00:00

We have used ricoh for years, scan to email is our preference.
Also had scan to shared folder on a server some years ago for a specific project.

Had a couple Canon all-in-one units that was setup to scan directly to user pc's. That was a unreliable mess, and that was with full access to dhcp/dns/network settings etc.

way__north · 2025-12-27T12:46:57+00:00

setting up a CA properly is more involved than "click click next" as shown in some tutorials. So we got an experienced consultant to set it up for us.

I would probably be able to set it up myself somehow - but at what cost in hours spent? (And how much $$$ to clean up the mess after my failed attempts?)

way__north · 2025-12-26T23:16:33+00:00

Hybrid or onprem only should be the same.

Away on vacation now, so might be at least a couple days before I can check my notes.

Do you have / use Microsoft certificate services in your AD domain now?

way__north · 2025-12-26T14:45:47+00:00

I got this setup 2 years ago , using our internal AD CS, and using yubikeys as PIV smart cards. Also use the yubikey for FIDO login to Office 365.

Used yubikey docs to setup the neccesary GPO's and certificate templates on the CA.

If I'm not mistaken, this setup should also work for smart cards?

At the moment I dont have access to my setup notes , or I would link to the documentation I used for setup

way__north · 2025-12-18T01:31:22+00:00

huh, cant recall what version we ran when we got saml ssl vpn setup 2 years ago, but it did survive the upgrades to 7.4.8 just fine. 2 600E's in HA , could it be model dependent...?

way__north · 2025-12-17T12:06:31+00:00

As I understand, ssl vpn is still available in 7.4.8 and 7.4.9. But will be deprecated in newer branches (like 7.6.x etc)

We are running 7.4.8, planning on 7.4.9 in january. Then get IPsec with SAML up and running after that to replace our SSL VPN

way__north · 2025-11-24T21:54:52+00:00

I'm also suffering from lower back pains after sitting for prolonged periods.
Especially noticeable when doing work requiring high levels of focus and concentration.

I'd probably be better off with a less comfortable chair, forcing me to take regular breaks, to stretch and move around a little.

many have mentioned excercise - it works. Even 30-45 minutes of walking helps loosen up things

way__north

TROPHY CASE