Blogpost Friday! Networking |
- Blogpost Friday!
- Follow-up on "Spectrum is rate limiting VOIP/SIP traffic (port 5060)". Spectrum has admitted guilt and fixed the issue.
- ASA cannot ping/recognise device connected directly to it
- Burnout Advice
- Simulating Network Latency, Bandwidth and Packet Loss with a Raspberry Pi
- Dual routers with HA firewalls
- Interviewed for Jr. Network Engineer Position... guidance?
- Zoom audio vs video, two separate streams?
- TCL or Bash script on ISP IPv6 PD Change
- NPS, EAP, Intune, PKCA, Unifi, WPA2 Enterprise
- Weird Ethernet header trailer field
- CoPP is knackering my transfer speeds, however IOS-XE ain't friendly to re-configure
- Certificate setup / understanding
- Ruckus ICX7450 QoS setup
- Tunneled EAP (EAP-TEAP) - Has anyone deployed this across wired/wireless successfully?
- BGP path question
- 10G Network - LAN speeds are great, WAN up speeds are bad (head scratcher)
- Limiting DHCP to a single address on UNI Port
- NetDevOps 2022, what are you guys using today
- Securely Separating Networks inside a DC
- Routing question
- How to manage A LOT of locations?
- Network Monitoring Criteria...not tools
- Fusion Splicing
- Bluetooth Console Adapters
- Security Appliance stuff - Looking for better NIDS/NIPS/reporting/analytics than what came with Sonicwall
| Posted: 31 Mar 2022 05:00 PM PDT It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts. Feel free to submit your blog post and as well a nice description to this thread. Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it. [link] [comments] |
| Posted: 31 Mar 2022 10:08 AM PDT Follow-up to this post: https://old.reddit.com/r/networking/comments/t8nulq/spectrum_is_rate_limiting_voipsip_traffic_port/ This was actually fixed about two weeks ago but I've been super busy. My client spent thousands of dollars ($8-$10K?) of billable time to troubleshoot, work around, and ultimately fix this problem. The trouble started in early November. We called Spectrum for help immediately, because we knew exactly what had changed: They replaced our cable modem and it broke our phones. It took four months to get this resolved. Dozens and dozens of calls. Hours and hours on hold. I cannot express how worthless Spectrum support was. All attempts at getting the issue escalated were denied. Phone agents lied, saying they had opened dispatch requests when they had not. I was hung-up on countless times. We were told it was impossible for this kind of problem to be Spectrum's fault, over and over and over. Support staff engaged in tasteless blame shifting, psychological abuse, and a disturbing level of intentional human degeneracy that deserves no reservation of scorn. At no point did anyone who I ever interacted with display the technical competence to flip a burger properly, nevermind meet a level of sub-CCNA aptitude to understand anything I was telling them. The one exception to my criticism of Spectrum's anti-support were the local technicians who came on-site to replace equipment. While it was obvious they were disempowered/neutered by Spectrum's corporate culture, they were respectful, patient, and as helpful as I think they could have been. I will reserve any further praise for them, however, for I'm sure they would be promptly fired should it be known by corporate that I had anything positive to say. What it took to get Spectrum to finally fix it? Going to social media and publicly shaming them and dropping F-bombs in people's mailboxes until someone in corporate noticed. Excerpts from my conversations with Spectrum: "I can relay that the engineers identified a potential provisioning error that likely caused the issue you first identified, and they are investigating a fix" "I get the impression that they were planning to push an update to the modem to correct the provisioning error. This should solve the VOIP / SIP traffic issue. I will provide an update when I have more information." "I just received an update from the network team. They identified the provisioning error on the modem that impacted VOIP traffic and corrected the error. We ask that you reboot the modem and test to ensure that VOIP traffic is no longer impacted. Once you are able to reboot and test, kindly let us know the result." We rebooted the cable modem and the rate-limit is totally gone now. Inbound port 5060 behaves like all other ports. I would be interested in knowing what other strange and interesting ways Spectrum is manipulating traffic. [link] [comments] |
| ASA cannot ping/recognise device connected directly to it Posted: 01 Apr 2022 04:27 AM PDT We have 2 firewalls in our network, ASA as our external and the internal Sophos for all the grunt work (not my design). Both had been working fine till a few days ago. We recently moved a few of our links (servers and networking devices) to our core switch and now our ASA cannot ping or recognise our Sophos. Both are directly connected to each other and are on the same network 192.168.1.0/24 . Traffic from our LAN passes through Sophos first then to our ASA, then to the internet. Internet and our network are working just fine however. What's weird is Sophos can ping ASA but not the other way around. All devices can ping the firewalls. All ports on the core switch with our new links have the same vlan and port configurations as the previous switch they were on. Does anyone have an idea what the problem could be? Any help would be greatly appreciated. Note: I'm not sure if us moving our links was the reason for this issue, but it started after we did. [link] [comments] |
| Posted: 31 Mar 2022 06:35 AM PDT Hey all, looking to see how you all deal with burnout? Right now, I have zero motivation after spending the past 6 - 8 months busting my ass to bring in and implementing new technologies in my org. I know what I HAVE to do, but right now I am having a hard time finding the drive. Call it depression, call it exhaustion, call it laziness; ultimately it's a feeling that I need gone and I am having an extremely hard time shaking it. There are external factors as well; wife's grandma passed and as an organization we anticipate either joining forces or being absorbed (not sure what my fate looks like after that) so I'm sure that's weighing as well. Just looking for some life advise; I love what I do and I hate not having the motivation to keep moving forward. [link] [comments] |
| Simulating Network Latency, Bandwidth and Packet Loss with a Raspberry Pi Posted: 31 Mar 2022 07:16 PM PDT I can't even count how many time's I've needed to simulate a real network to test with. Ethernet in the lab is great, but it in no way simulates the real world - it is either working flawlessly or completely down. About the best I used to be able to do was pair together a couple of Cisco Routers with 56k CSU/DSU's linking them! What about in between? You know, the network conditions that really test how good your SD-WAN solution is, or tests how good the developers did recovering from TCP send() not accepting any more packets due to congestion? Luckily Linux offers the Traffic Control (tc) tool. It creates Queuing Disciplines (qdisc) on a per interface basis. tc adds delay, packet loss, duplication and other characteristics to packets outgoing from a selected network interface. Outgoing is important! For example, if you add a latency of 100ms, it will only add the 100ms latency in one direction. The ping time (round trip time - RTT) will be 100ms, but only because in one direction the latency is 100ms, and in the opposite direction no latency is added. If you want to add a true 100ms of latency in both directions, you would have to configure 50ms on both interfaces in the bridge. For this test I used a Raspberry Pi running Kali Linux, using the built in ethernet (eth0) to connect upstream to my ISP, and a USB Ethernet adapter (eth1) to connect to the host I am performing the test from. The first step is to bridge the interfaces together. In essence we are making a poor mans 2-port ethernet switch. Before we get started, it's best to know how to disable any of the queuing disciplines we are configuring. It is very possible to make the network so poor SSH'ing into the pi is not possible. This command disables tc on both eth0 and eth1 Basic Latency Let's add 50ms of latency in both directions, first 50ms in one direction, and then 50ms in the other direction, and then disable: You can see I am pinging my default gateway, 192.168.200.1, with a 1ms RTT time. When I add in the 50ms delay on eth0, the RTT time goes to 50ms, add another 50ms delay to eth1, RTT increases to 100ms (50ms in each direction). When the qdisc's are removed from both eth0 and 1, the latency returns to normal. Add Varying Latency Adding a set latency isn't all that realistic - latency can increase and decrease - otherwise known as jitter - a deviation from a periodic signal - which is especially important in VoIP. To create a qdisc with a 100ms +- 40ms latency, use the following commands: You can see here the latency is roughly between 60 and 140 ms. Limiting Bandwidth Emulate asymmetrical bandwidth by implementing a 10 Mbps upload speed, 50 Mbps download speed with the following tc commands: Packet Loss Packet loss can also be set with tc. In this example, we will drop 25% of the packets in both directions. Packet Corruption Packet corruption can also be emulated with tc. Multiple tc options can be simultaneously. For example, you can add in jitter, with bandwidth restrictions and packet loss: As you can see, you all of the sudden can create any sort of WAN anomaly on the fly. I have used this many times to test out vendors SD-WAN solutions to see what sort of scenarios they can overcome. I have been very impressed with some vendors ability to overcome the worst possible WAN conditions. And I have been shocked that some vendors are in business when I see how poor their product operates in degraded situations! TC has many many more options than what was just covered here, and there are plenty of outstanding resources on the internet. The examples covered here are 90% of what I use, with the exception of the tc option of changing the order of packets.
[link] [comments] |
| Dual routers with HA firewalls Posted: 31 Mar 2022 03:41 PM PDT How would/have you deployed dual routers with HA firewalls running in active-standby? Cisco ASR and Fortigate firewalls. Currently have po1 configured on RTR1 & RTR2 with a /30 assigned to each. LAG1 & LAG2 are configured on the firewall with port1 & port2 assigned to each LAG respectively. Port-channel/LAG is configured with LACP both sides set to active. LAG1 (FW01 Port 1, FW02 Port 2) 1.1.1.1/30 RTR1 Po1 (gi0/0/0, gi0/0/1) 1.1.1.2/30 IPs on the firewall are shared between primary/standby and has a virtual mac address so it doesn't change during failover. What we are seeing is the links in the port-channel connected to the standby firewall are showing as suspended and causing a delay during failover as the links join the port-channel. Is there a better way to do this, or to reduce the delay in failover? [link] [comments] |
| Interviewed for Jr. Network Engineer Position... guidance? Posted: 31 Mar 2022 08:56 AM PDT I currently work for an MSP; I just interviewed this morning for a Jr. Network Engineer role for another MSP. Working with Cisco Meraki, HP Aruba and other networking technologies. My responsibilities will be assisting the two Senior Network Engineers and alleviating their workload. My interview must of made a great impression, I sent a follow up email less than an hour ago and received an email back from the VP asking to have lunch tomorrow. With that said... What are the most reliable training aids for CIsco Meraki networking equipment, CIsco Wireless equipment and HP Aruba equipment and anything in that nature? Such as labs, training aides, videos, etc? I want to review some information this evening on what we went over today so I have a better position tomorrow to talk about the network gear. Also any other pointers in regard to this follow-up meeting would be exponentially wonderful and appreciated. Thank you! Edit: Cisco is a noun, not an acronym. [link] [comments] |
| Zoom audio vs video, two separate streams? Posted: 31 Mar 2022 07:23 PM PDT I'm using OpenMPTCPRouter on multiple cellular connections. It does Multipath TCP. In other words, aggregates few weak cellular links into single better one. Now, when doing zoom live stream - audio is good, with no problems. Video, however, is choppy. I'm expecting that audio goes through TCP channel but video perhaps not? I'm not sure if my current OpenMPTCPRouter configuration allows UDP traffic to go through the same VPN as TCP. The question is - does zoom have separate streams for audio (TCP?) and video (UDP?)? [link] [comments] |
| TCL or Bash script on ISP IPv6 PD Change Posted: 31 Mar 2022 04:26 PM PDT First off, I want to say thanks to those that have offered help on this journey. I have a Cisco 2921 running Classic IOS v15.7.
I want to write a script that will trigger on a new prefix being assigned from my ISP. I have never scripted on a Cisco device before and the documentation seems lacking and mostly is hello-world level tasks. I have this working with EEM watching syslog. What I would like to do afterwards is then subnet this delegation into sub delegations to hand out within my topology to sub-routers. My ISP gives me a /56 and I would like to hand out a /60 to each sub-router. I figure I should be able to do some string manipulation of the prefix PD-ISP to adjust the 2nd half of the 4th hextet. For example, if my ISP provides 1234:1234:1234:ff::/56 I would have networks 1234:1234:1234:FFX0::/60 where X would be a valid HEX value. This should allow me to utilize the 1st /60 for on link networks and the remaining to delegate to sub-routers. I need assistance in grabbing the PD, not sure if there is a way to capture it from the syslog message or otherwise. Then manipulating it in TCL should be fairly easy and then I would write it to a new DHCPv6 pool. Of course, if anyone has a better solution, I am open to suggestions. [link] [comments] |
| NPS, EAP, Intune, PKCA, Unifi, WPA2 Enterprise Posted: 31 Mar 2022 04:38 PM PDT im trying to get a certification based no touch wireless login going for all company managed ipads so that they will automatically authenticate anytime they are near our wifi and i think i have everything but NPS is throwing some cryptic errors that i cant find i cant seem to find where the EAP logs are being stored to further diagnose the current setup: Unifi system using radius talking to windows server 2019 NPS, i have it currently working for domain managed computers will automatically grab a certification from the AD CA and then connect to the wifi with a profile i pushed via GPO. so i know theres a way to get EAP-TLS working since im already using it. i just want my ipads to do the same as my desktops. right now i have intune requesting and creating a PKS and exporting and installing it onto the ipad. it has the identity loaded and the AD CA has the other side of that cert loaded and working correctly( as far as i can tell) the problem i am running into is that NPS was first asking for a user account to even get to the network policy approve or deny state so i cated a ipad username, now its throwing that cryptic eap error and ive hit a wall on what i can do and troubleshoot. [link] [comments] |
| Weird Ethernet header trailer field Posted: 31 Mar 2022 03:13 PM PDT For the screenshot, see https://imgur.com/a/YV2323b. This trailer of "fefe fefe fefe" is spotted in the Ethernet header of the final ACK of the TCP handshake (so client to server). A similar trailer but with the value of 0000 0000 0000 is seen in the first reply back from the server. After that this doesn't show up in the rest of the packets of that TCP session. Since this is an Ethernet header, it's not the client and server which have put this on it as they are many hops away. I've looked around at many places and shown it to many good people (yes, including the ones who manage the routers and switches), but nobody who knows anything about it. I've been suggested F5, but they are putting data in the Ethernet trailer after the payload, while this is in the trailer of the Ethernet header. Is anybody able to satisfy my curiosity on what this Ethernet header trailer is used for? [link] [comments] |
| CoPP is knackering my transfer speeds, however IOS-XE ain't friendly to re-configure Posted: 31 Mar 2022 12:07 PM PDT I'm trying to use any protocol to transfer images from a file-server to my 9300's and 9500's. Every time it was capping at max 7-10Mbit/s. Turns out there is a default CoPP policy called system-cpp-policy which is capping my transfer speeds inside of the system-cpp-police-forus class. Note, I also had this issue on NXOS, which I resolved by copying the CoPP policy and adding an entry for FTP for example, and setting much higher rates. However, on these IOS-XE 9500's, there isn't an option to clone the policy. You also have the following limitations:
So the clear option was to create a new class-map and then put a high transfer rate on, and add it into the policy. So this is what I did: Since you are limited to specifying the rate as pps (which has a maximum value, that I used in my config). I have no way to identify how much throughput that means, so it's just a trash design choice by Cisco to limit you to using pps in my opinion. You also cannot add statements such as "conform action", or "exceeded action" on the statements because after you apply it, the config is removed from the running config (i.e. I can't even just put an exceeded action to allow it through, just to test what speeds I can actually reach). This implementation improved my throughput to around 20Mbit/s, however I was still hitting the exceeded counter in the policy-map, and thus dropping packets on my transfer. So it's really annoying. The next step I'm planning to do is just create a totally custom policy, which should allow my the freedom to specify a bit/s rate, and thus allow me to improve the speed. However setting proper rates on them is going to be difficult, as I have nothing written in bit/s since the default policy is using pps. The ACL's applied to the default class-maps are also hidden from #show run all. I'm just wondering how many of you guys have hit this issue, specifically on IOS-XE, and come up with a nice, clean solution to improving your transfer speeds of your software downloads (like, it's legit an issue with these newer 1gig files, especially on an enterprise level network)? Note: I've got around 10Gbp/s links through to my file-transfer server, hence why I'm not accepting 20Mbit/s as a good enough transfer rate. I can also iperf around 6Gbp/s through about 16 threads to my server. So I know the theoretical max rate I would ever get in prime conditions is around 6Gbp/s. However I'd be happy with just like 200Mbit/s rate limited by a policer. [link] [comments] |
| Certificate setup / understanding Posted: 31 Mar 2022 09:17 AM PDT I, for the life of me, just cannot get certificates. Roots, authorities, CRLs, chains, public, private, whatever. I've been trying for a long time to get some sort of blog or video that just explains the basics and tells me what I need to know. Anyone have a good resource on this? simple and from the ground up? I'm currently setting up a windows 2019 server for my Aruba lab and I can login using radius on my switches and controllers, but when I setup a .1X SSID for clients, the request gets rejected. I've been following this guide, but can't help to think that it may be a little overboard for what I actually need to do. I'm sticking to it for now, but if anyone has a better resource please let me know. https://mjcb.io/blog/2020/03/09/certificate-authority-windows-server-2019-part-1/ [link] [comments] |
| Posted: 31 Mar 2022 03:01 PM PDT I have a couple of Ruckus ICX7450 switches that will be installed at sites with limited bandwidth on the uplinks. We want to be sure that in the event of bandwidth over-utilization, management traffic will not get dropped. The old configs (firmware 8.0.10) had ACL's that defined 802.1p markings and then defined internal priority markings like this; access-list 120 permit ip any any 802.1p-priority-marking 5 internal-priority-marking 5 These were then assigned to ports. It seems like they changed the way this works in firmware 8.0.70. The security implementation guide states that internal priorities default to the 802.1p markings. So the new access list is just "access-list 120 permit ip any any 802.1p-priority-marking 5". To test this out I created VLAN 1, configured port 1 as a tagged port and port 22 as an untagged port on both switches. The ACL was applied to port 22 "ip access-group 120 in". A workstation was connected to each switch on port 22 and iperf was run over the tagged uplink. I did "show interface eth 1/1/1" and looked at the egress queues - all traffic is in queue 0 on both ends of the uplink. On port 22 at the receiving workstation the traffic is in queue 5. I just don't understand this well enough to know what's wrong. I would have assumed the queueing would happen at the egress on the uplink, not downstream at the receiving workstations access port. At that point it's too late. [link] [comments] |
| Tunneled EAP (EAP-TEAP) - Has anyone deployed this across wired/wireless successfully? Posted: 31 Mar 2022 06:58 AM PDT Hey /r/networking, Title, basically. I've got EAP-TEAP running at a test site on our wired LAN side. For the most part, the machines and login/logout seem to work as expected against our ISE Cluster. However, we're seeing a lot of EAP messages where our endpoint supplicants (running Windows 10 Native) seem to keep restarting the session a few times before authentication succeeds, leading to longer-than-anticipated authentication times, sometimes on the supplicant side timing out after a minute or so. Wireless, by contrast, uses PEAP based on user or machine against AD and has zero issues. The users by and large haven't noticed, more likely due to the fail-open nature of the LAN side atm. But I'd like to get authentication times down, and was wondering if anyone else has experienced this issue at all. I'm also pretty surprised that, with the difference in the two authentication methods (EAP-TEAP vs PEAP) we're seeing such larger authentication times. Some insight would be fantastic. I've got a case open with TAC atm and it's slow goings. Wanted to open it up to y'all and see if anyone has done this before. TEAP-Machine method - cert-based TEAP-User method - AD-based authc. [link] [comments] |
| Posted: 31 Mar 2022 07:31 AM PDT I'm trying to see if there is a online tool anywhere that would help me identify bgp hop-by-hop asn to destination (for ex. US/NY --> Asia/china) just looking for general info that would give me general transit path information. Is there something like that anywhere? Tried looking for it but not having any luck, maybe just using wrong search terms. Thank you [link] [comments] |
| 10G Network - LAN speeds are great, WAN up speeds are bad (head scratcher) Posted: 31 Mar 2022 06:50 AM PDT I recently upgraded a clients internet connection to a symetrical AT&T fiber 1G/1G connection. All computers on the network are seeing the new speeds (all 1G link speed), except one (main workstation). It's running 10gbe using a AQC-107 at (10G link speed). There have been no previous issues with 10G performance on LAN (between workstations and servers). This WAN issue may have existed but went unnoticed b/c there was not this much upstream internet bandwidth previously. Issue:
Setup:
Observations:
Troubleshooting:
Summry:
Can anyone shed any light on this? Have you every experienced this? Thanks guys! [link] [comments] |
| Limiting DHCP to a single address on UNI Port Posted: 30 Mar 2022 04:37 PM PDT In a service provider environment I am interested to get input on how others accomplish the following: Problem: If customer plugs a switch into UNI port vs a router I don't want them to be able to pull multiple IPs from the DHCP server. Goal: Assign single IP via DHCP to customer from service delivery switches UNI port. Option 1: Port security and allow a single MAC and customer has to reboot the switch to get a new MAC to bind. Option 2: DHCP Relay with Option 82 enabled. Relay send circuit-id/port with request and server identifies the circuit-id/port and responds with the IP address assigned to that circuit-id/port. I have not found solid data on what DHCP servers support the option 82 data. Has anyone done this with KEA? Not sure if this requires premium hooks or if the base offering supports this. In the old days people used PPPoE for everything but I really want to avoid the legacy methods. Thanks in advance. [link] [comments] |
| NetDevOps 2022, what are you guys using today Posted: 31 Mar 2022 09:36 AM PDT as the last thread was > 1yr old and we all know how things can move fast, I wanted to get some ideas about what everyone is seeing in use today. I hear a lot about ansible and some chef work as well. I wondered if anyone is using a full CI/CD pipeline today? Git > triggered actions > test deploy > staggered rollout or something similar. [link] [comments] |
| Securely Separating Networks inside a DC Posted: 31 Mar 2022 02:33 AM PDT I started a new role, first meeting and there was a discussion on how to securely separate networks inside a DC. DC networking is not my strong suite and I have a lot to learn. From an enterprise approach I have seen on other networks where a VLAN which was deemed as sensitive would have an ACL on the SVI of that VLAN allowing only certain subnets/IP's over certain protocols and ports. Would this be the same type of approach in a DC or are there more secure methods used to safety protect a sensitive VLAN. This environment has no firewalls inside the DC, they're only used on the edge for traffic entering. [link] [comments] |
| Posted: 30 Mar 2022 05:35 PM PDT I've managed to over think a scenario and get myself confused. Now I need some help. Here's the scenario: I have switch A connected to switch B via a layer 2 trunk port that contains all relevant vlans. Switch B uplinks to the rest of the network. Switch B contains the gateway for each relevant vlan (the .1 addresses to be exact). When a device on A needs to talk to one on B that's on a different vlan, does it do so automatically without traffic leaving B or does the fact that it's crossing vlans mean the device on A has to rely on the routes on switch A? [link] [comments] |
| How to manage A LOT of locations? Posted: 30 Mar 2022 11:17 PM PDT I work in a company that has 100+ pops worldwide in a lot of DCs. It is becoming a nightmare managing all in excel in terms of: DC location / contacts Internet carriers details / contacts What devices we have in each location (servers switches etc) Cost of cabinet Cost of network Date of agreement end And other stuff that relates What would you use to manage this? Looking for one coplete solution. [link] [comments] |
| Network Monitoring Criteria...not tools Posted: 30 Mar 2022 12:20 PM PDT We have been using a temporary Nagios solution to do monitoring ever since our SolarWinds environment had to be unexpectedly turned off. It has fit the bill for the time being, but now we are at the point of putting real effort into the solution needed going forward. Since Nagios was a hurry up kind of effort, not much went into picking a tools except the very basic monitoring and alerting we could get up and running quickly. We have established a basic set of criteria of what we need/want either through a single tool or multiple tools if necessary. What I am hoping for feedback on is the criteria itself, not tools (yet). What would be your criteria in addition to this list and what of this list may be a waste. Must have:
Nice to have:
Thank you [link] [comments] |
| Posted: 30 Mar 2022 06:09 AM PDT I'm trying to determine what is acceptable fusion splice loss. Can someone chime in on their real world experience on this subject? When looking at some otdr shots here recently, i'm seeing .15 and less on some splices, but then some that are above .3 that even show fail based on their settings in the otdr. This is referring to single mode fiber. [link] [comments] |
| Posted: 30 Mar 2022 05:35 PM PDT Does anyone have a Bluetooth console adapter they would recommend, other than get-console? I went Bluetooth a while ago and am spoiled about not needing to balance my laptop while consoling into the switch. I can't seem to get a hold of anyone at get-console, so I'm not sure if they are still around. I'm hoping there is a similar product in the market. [link] [comments] |
| Posted: 30 Mar 2022 04:04 PM PDT Current UTM / NGFW is NSA 3600. I also have their hosted Network Security Manager (NSM) service which is connected to the NSA. The base NSA 3600 unit itself is fine and Sonic OS 6.5.x seems really good on it. However, the security services such as the NIDS, NIPS, DPI-SSL, and other stuff seem to have varying levels of issues. Then, NSM constantly has issues where it just doesn't load or gives incorrect data (I've had a slew of tickets) and just doesn't work and provides almost no value anymore. I'm basically done with it. I am currently considering looking at Palo Alto, FortiGate and Check Point (and others) to see if I can find something else. That said, if I did just stick with the Sonicwall and simply use it as a router, wouldn't I be able to tie in some external NIDS and NIPS solutions and use those in addition to the NSA? Also, side note, I get it that "UTM" and "NGFW" are sometimes just buzz words and marketing terms but I understand they also have their place and relative value in a SMB environment. I know some people may argue against buying them and instead say dont have all security tools in one box. I would be open to that if I had a clear path to the right tools. My biggest concern, aside from stability and network security, is just overall visibility with reliable reporting and analytics. Currently, it is very difficult to pull meaningful data out of the NSM reports since they are overall pretty vague. Live logging has very short retention and though I am logging to Syslog / SIEM and NSM, I'm still having trouble getting critical information in real-time. I guess I'm just looking for some guidance and suggestions as what to do. [link] [comments] |
| You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
No comments:
Post a Comment