|
The only HA I ever worked with that worked as designed was a VRRP setup with a couple mikrotik CCR’s. Even then the failover was a script and it was highly complicated. I suspect the reason behind this one is as you stated. The Enterasys S1 the next hop up from the checkpoint and/or the the core S4 behind it didn’t want to see another MAC address. Regardless, I’m not happy about the fact that the simple act of blocking an application caused a six figure firewall solution to poo poo itself.
|
# ? Jan 9, 2018 03:07 |
|
|
# ? May 27, 2024 03:50 |
|
Farking Bastage posted:I can tell you that the expensive firewalls have quirks of their own. 15 minutes before quitting time today, something went wonky with our *VERY* expensive Checkpoint 15000 HA pair. We pushed an application rule to block snapchat and something glitched. The primary poo poo itself completely, but not in such a way that the HA backup would sense it and take over. Forced a failover to the secondary, but it still didn't want to work right. We ended up having to revert the config on the primary, fail it back over then revert the secondary. I'll be on the phone with someone in Israel a lot tomorrow looks like That sounds about right for Checkpoint!
|
# ? Jan 9, 2018 03:25 |
|
We spent more than twice the value of my house on bullshit machine learning blackbox ddos mitigation devices that I currently have in passive mode doing nothing because I don't trust them to not be invisibly loving up everything. Buying these things were almost certainly the worst mistakes we made when building out a datacenter. We could have purchased 50gbps of bandwidth for 5 years for what we spent on these loving things. Several times these things have caused horrible horrible impossible to troubleshoot cascading failures. For example, something goes wrong so logging spikes. The spike in logging triggers some ML horseshit to start invisibly dropping traffic to or from AWS (because thats where our logging services were hosted) because this spike of traffic is an anomaly. Same for DNS What happens when logging traffic or DNS gets dropped? Obviously you send more to log the failure to log or request DNS again. Never again. Methanar fucked around with this message at 04:00 on Jan 9, 2018 |
# ? Jan 9, 2018 03:57 |
|
Zamboni Apocalypse posted:I believe the correct version for incoming fire is "For what we are about to receive, dear Lord make us thankful." I always use "... may we be truly grateful."
|
# ? Jan 9, 2018 04:12 |
|
Methanar posted:We spent more than twice the value of my house on bullshit machine learning blackbox ddos mitigation devices that I currently have in passive mode doing nothing because I don't trust them to not be invisibly loving up everything. Could you lower the sensitivity so it would take a disaster-level ddos to trigger action? Or whitelist your cloud service IPs and DNS forwarders so it doesn't interfere with business traffic?
|
# ? Jan 9, 2018 04:36 |
|
Judge Schnoopy posted:Could you lower the sensitivity so it would take a disaster-level ddos to trigger action? No* tldr A huge amount of our traffic is UDP and my WAN traffic is very asymmetric. There is zero way that I can enforce that traffic exits through the same ddos appliance that it enters. This means it is impossible for these things to have any meaningful view of what UDP traffic is actually doing, and TCP traffic insight is reduced. Also unless I whitelist all of amazon's blocks which is pretty close to removing the device from service entirely like I have right now, I can never guarantee that IPs are going to be within a given whitelist. DNS whitelisting isn't a thing. The way the thresholds are generated, if an IP suddenly moves it will almost certainly immediately be flagged as anomalous and almost certainly blocked until a human intervenes because log transmission is continous and will look like an attack. Ultra simplified view wan1 -> ddos1 -> network | wan2 -> ddos2 -> network | The real answer to ddos mitigation is don't even remotely try to do it yourself. Properly harden your nginx or haproxy instances to flush their connection tables as necessary to avoid the low hanging fruit. If anything volumetric happens, pray that you chose a provider that supports bgp community strings to blackhole traffic then use that and the source is something that is reasonable to blackhole, not the entirety of comcast or something. Anything more serious of a problem or larger scale than that, you need to do bigger things like have a geographically distributed presence and do fancy things with BGP any casting and using sacrificial sites Methanar fucked around with this message at 06:20 on Jan 9, 2018 |
# ? Jan 9, 2018 04:48 |
|
Methanar posted:Anything more serious of a problem or larger scale than that, you need to do bigger things like have a geographically distributed presence and do fancy things with BGP any casting and using sacrificial sites Man, the cyberpunk dystopia is here, only instead of hot half-cyborg Asian chicks and seedy Japanese diners, it's some underpaid nerd in an office trying to cope with 100,000 infected webcams sending billions of dickpicks per second and crashing the servers because we as a race can't have nice things.
|
# ? Jan 9, 2018 06:23 |
|
Methylethylaldehyde posted:Man, the cyberpunk dystopia is here, only instead of hot half-cyborg Asian chicks and seedy Japanese diners, it's some underpaid nerd in an office trying to cope with 100,000 infected webcams sending billions of dickpicks per second and crashing the servers because we as a race can't have nice things. Beautifully put.
|
# ? Jan 9, 2018 10:22 |
|
Zamboni Apocalypse posted:I believe the correct version for incoming fire is "For what we are about to receive, dear Lord make us thankful." Sorry, no, this is the wrong prayer as they're the one sending out the patch over their network.. For something being caused by their own actions they want Shepard's Prayer; "Please God, don't let me gently caress this up".
|
# ? Jan 9, 2018 10:49 |
|
Bob Morales posted:After about two trips in the cold and snow I bought a UPS with a web interface for the power outlets Yeah, our standard rack buildout now includes 2 non-negotiable devices. A multiport serial console server and a rack PDU. Because it's been historically shown that we can't trust on-site people to find their rear end with both hands and a map (and honestly, dealing with that stuff isn't their job). Also, gently caress sending one of T1/2 guys 50 miles to cycle power.
|
# ? Jan 9, 2018 14:56 |
|
Do you drop in a cheap DSL circuit for OOB access to the serial server?
|
# ? Jan 9, 2018 15:13 |
|
Methylethylaldehyde posted:Man, the cyberpunk dystopia is here, only instead of hot half-cyborg Asian chicks and seedy Japanese diners, it's some underpaid nerd in an office trying to cope with 100,000 infected webcams sending billions of dickpicks per second and crashing the servers because we as a race can't have nice things. I'm going to print this and hang this on my cube wall. For content, we just rolled out our new USB mass storage lockdown, mandated and designed by the nationwide corporation that is our parent organization only when they want to tell us to do stuff or demand that the hospital make more money. This is fine and dandy because our doctors are all morons and nobody wants to do infosec training for nurses who already don't have the patience to deal with these computer modems, except that the new filters prevent us from installing any USB hardware at all, not just Dr. Iknowbetter's infected SanDisk. Thankfully they included a convenient way around it for those of us with AD access but I really wish the networking team and corporate would stop "fixing" problems by offloading them to the helpdesk. I also wish I'd have won the drat lottery. And a pony.
|
# ? Jan 9, 2018 15:56 |
|
Thanks Ants posted:Do you drop in a cheap DSL circuit for OOB access to the serial server? Nah, that's on whichever group (both internal and external customers) actually runs that datacenter. The stuff we manage on our single rack is behind all that. E: sorry misunderstood what you were asking first. Proteus Jones fucked around with this message at 16:43 on Jan 9, 2018 |
# ? Jan 9, 2018 16:40 |
|
Thanks Ants posted:My experience with Sonicwall has been terrible. We got onto the Gen6 train far too early (had no option though unless we wanted to buy old hardware) and it was a complete shitshow for a very long time. I still would try and avoid having things like a VLAN-tagged WAN interface because so much stuff just flat-out broke the last time I tried it. Their CLi is A LOT better than it used to be, we haven't run 5.6 code yet, still on 5.4 (some devices on 5.2), but it's getting better, the issue is the stark lack of documentation on poo poo. Every time I call support I make sure to log the SSH/CLi sessions they use because there's always something new that I didn't know about. Proteus Jones posted:Yeah, our standard rack buildout now includes 2 non-negotiable devices. A multiport serial console server and a rack PDU. Those serial console servers are loving awesome, we have a digibox at one of our larger customers data centers where we manage an HA pair of firewalls and 2x8 stacks of cisco switches and it's awesome, I've only needed it twice, but it was a god send when I did. That customer is also not in the contiguous 48, so it really would have been annoying (and awesome) to have to fly there to fix a thing. MF_James fucked around with this message at 17:19 on Jan 9, 2018 |
# ? Jan 9, 2018 17:11 |
|
Methylethylaldehyde posted:Man, the cyberpunk dystopia is here, only instead of hot half-cyborg Asian chicks and seedy Japanese diners, it's some underpaid nerd in an office trying to cope with 100,000 infected webcams sending billions of dickpicks per second and crashing the servers because we as a race can't have nice things. Goin' into the Funny Forum Quotes thread. God drat.
|
# ? Jan 9, 2018 17:28 |
|
How much will I hate my life if I try to learn Salesforce? They're looking for someone to use it as a Customer Resource Management tool, run reports for invoices and track projects. It seems like a trap, but not sure how much worse it would be compared to helldesk.
|
# ? Jan 9, 2018 17:39 |
|
RedMagus posted:How much will I hate my life if I try to learn Salesforce? They're looking for someone to use it as a Customer Resource Management tool, run reports for invoices and track projects. It seems like a trap, but not sure how much worse it would be compared to helldesk. Learn to code for salesforce instead of being a service monkey. IT to BizApps is a decent move, but IT to report-runner is going to kill you.
|
# ? Jan 9, 2018 17:41 |
It's been a while since I've had a user who I dread seeing tickets from, but we've got a good one now. It's like tech-supporting my granny. Today a colleague was troubleshooting why her built-in webcam was't working. After about an hour on a remotes session, he figured it out. The laptop lid was closed. She's a department head for a science based company and can't be older than 40.
|
|
# ? Jan 9, 2018 18:06 |
|
bitterandtwisted posted:It's been a while since I've had a user who I dread seeing tickets from, but we've got a good one now. It's like tech-supporting my granny. This is very common with doctors. They learn so much in their field how to do anything else slides right out.
|
# ? Jan 9, 2018 19:17 |
|
iospace posted:This is very common with doctors. They learn so much in their field how to do anything else slides right out. Can confirm, I work in a hospital.
|
# ? Jan 9, 2018 20:02 |
|
bitterandtwisted posted:It's been a while since I've had a user who I dread seeing tickets from, but we've got a good one now. It's like tech-supporting my granny. In her defense, if it was docked (it sounds like it was) she may have just thought the monitor had a webcam like a lot of all-in-ones/macs do vv
|
# ? Jan 9, 2018 20:11 |
|
FYI, have really bad issues with kb4057247 on some dell laptops. My desktop guys are having a hard time nailing down the exact problem. Just FYI.
|
# ? Jan 9, 2018 21:18 |
|
The Muffinlord posted:For content, we just rolled out our new USB mass storage lockdown, mandated and designed by the nationwide corporation that is our parent organization only when they want to tell us to do stuff or demand that the hospital make more money. This is fine and dandy because our doctors are all morons and nobody wants to do infosec training for nurses who already don't have the patience to deal with these computer modems, except that the new filters prevent us from installing any USB hardware at all, not just Dr. Iknowbetter's infected SanDisk. Luckily our being behind the times worked in our favor in this case because most people were still on PS/2 keyboards.
|
# ? Jan 9, 2018 21:21 |
|
Why the gently caress did we think it was a good idea to make our own email client?
|
# ? Jan 10, 2018 00:38 |
|
|
# ? Jan 10, 2018 00:49 |
|
A Pinball Wizard posted:Why the gently caress did we think it was a good idea to make our own email client?
|
# ? Jan 10, 2018 00:50 |
|
A Pinball Wizard posted:Why the gently caress did we think it was a good idea to make our own email client?
|
# ? Jan 10, 2018 00:52 |
|
please tell me it also clacks as you enter your email in like a old timey typewriter and the sound is hardcoded in VB6
|
# ? Jan 10, 2018 00:59 |
|
Lots of AOL sounds built in
|
# ? Jan 10, 2018 01:07 |
|
A Pinball Wizard posted:Why the gently caress did we think it was a good idea to make our own email client? Do you work for Nomx?
|
# ? Jan 10, 2018 01:44 |
|
incoherent posted:please tell me it also clacks as you enter your email in like a old timey typewriter and the sound is hardcoded in VB6 Of course not! Most of it was rewritten in .net just last year!
|
# ? Jan 10, 2018 01:47 |
|
Centurylink handed off the /25 belonging to one of my remotest of remote sites elsewhere today. Took about 6 hours of talking to people to get it sorted.
|
# ? Jan 10, 2018 01:56 |
|
A Pinball Wizard posted:Why the gently caress did we think it was a good idea to make our own email client? I’m sorry but Ahahahahahhahahahahahahaaaaaaaaa... Sickening posted:FYI, have really bad issues with kb4057247 on some dell laptops. My desktop guys are having a hard time nailing down the exact problem. Just FYI. We’re an all Dell institution, what kind of errors are you seeing? It’d be nice to get ahead of that.
|
# ? Jan 10, 2018 02:51 |
|
A Pinball Wizard posted:Of course not! Most of it was rewritten in .net just last year! One of the joys in my life is finding boutique software written in a blend of vb6\.net\foxpro.
|
# ? Jan 10, 2018 03:11 |
|
Those of you with Dell laptops, ever seen an issue where the trackpad/mouse freezes every 5 seconds for a second or two constantly? Working on a laptop with that issue and I can't figure it out. Tried a new hard drive, formatted. In Windows 10.
|
# ? Jan 10, 2018 03:22 |
|
Check your sata cables for April Fools.
|
# ? Jan 10, 2018 03:25 |
|
GreenNight posted:Those of you with Dell laptops, ever seen an issue where the trackpad/mouse freezes every 5 seconds for a second or two constantly? Working on a laptop with that issue and I can't figure it out. Tried a new hard drive, formatted. In Windows 10. i have this issue with the track pad on my precision m6600, but it works fine with a mouse. never did figure out the issue, and it has persisted through multiple os installs and reseating the cable. let me know if you figure it out
|
# ? Jan 10, 2018 04:26 |
|
It happens with a mouse too. Frustrating.
|
# ? Jan 10, 2018 04:42 |
|
A Pinball Wizard posted:Of course not! Most of it was rewritten in .net just last year!
|
# ? Jan 10, 2018 05:51 |
|
|
# ? May 27, 2024 03:50 |
|
GreenNight posted:Those of you with Dell laptops, ever seen an issue where the trackpad/mouse freezes every 5 seconds for a second or two constantly? Working on a laptop with that issue and I can't figure it out. Tried a new hard drive, formatted. In Windows 10. I have a fix for this! The TL;DR is the Windows PTP drivers are poo poo and every time you touch the pad, they wait for you to make a gesture. You can replace them with the Synaptics drivers and the problem disappears.
|
# ? Jan 10, 2018 07:33 |