|
FTD is dogshit. Cisco should be ashamed to have rolled it out.
|
# ? Nov 21, 2022 18:10 |
|
|
# ? May 28, 2024 03:41 |
fatman1683 posted:Could you give some detail on your experience with it? I've never worked with Firepower, only the older ASAs, so I don't really know what to expect. It’s extremely user hostile, it takes forever to get it all going after a power cycle, you may require a VM to run the administrative stuff, and it’s generally just a bad product in every respect. I’m going to rip it out someday because I can’t use it for anything that I wanted to because using any of the features requires me logging and loving with it instead of just being an overpriced router that can block inbound stuff I never look at or remember that I own
|
|
# ? Nov 21, 2022 18:20 |
|
Did you work with the ASA GUI? That was unpleasant and way behind the times even when it was new. The experience with FTD is still a decade behind in usability and navigation. The entire system is also 100% not designed for single deployments. The devices are not intended to be managed standalone and need a management server to get more than a fraction of the functionality out of them. There's also the whole EA microtransaction hell of every single function requiring it's own license, or pay them $Texas to not have to deal with that. What are you looking to really do with it? If you're just doing simple home firewall stuff, then FTD is paying the price of a Ferrari for a Challenger that you have to try and drive from the trunk with sticks and string when all you need is a cheap reliable Mazda that you can use like a normal person. If you're looking for some advanced features, there's dozens of better choices actually designed for SOHO that you can use like a sane human being. FTD ain't it.
|
# ? Nov 21, 2022 18:38 |
|
Maybe they're better now, but the last time I dealt heavily with FTD, 4 or 5 years ago, they were extremely bad. I've never encountered more critical, enterprise-breaking bugs on a single platform than I did with FTD. These days the only thing I can recommend buying a Firepower is if you're running the ASA code on it, and you're doing this because you have to use AnyConnect instead of some other VPN client because of whatever reason.
|
# ? Nov 21, 2022 19:31 |
|
i am a moron posted:It’s extremely user hostile, it takes forever to get it all going after a power cycle, you may require a VM to run the administrative stuff, and it’s generally just a bad product in every respect. I’m going to rip it out someday because I can’t use it for anything that I wanted to because using any of the features requires me logging and loving with it instead of just being an overpriced router that can block inbound stuff I never look at or remember that I own That definitely does not sound like a good time, I appreciate the input. Slickdrac posted:What are you looking to really do with it? If you're just doing simple home firewall stuff, then FTD is paying the price of a Ferrari for a Challenger that you have to try and drive from the trunk with sticks and string when all you need is a cheap reliable Mazda that you can use like a normal person. If you're looking for some advanced features, there's dozens of better choices actually designed for SOHO that you can use like a sane human being. FTD ain't it. Home firewall stuff is part of it, but I'm also going to be setting up a colo for some other services and want to be able to do site-to-site VPN, QoS, stateful packet inspection, that sort of thing, most of which is beyond the capabilities of Ubiquiti gear, so I'm looking for the next step up. I've looked into Palo Alto and Fortinet a little, but haven't found anything that immediately strikes me as The Thing that would be ideal for this use case. If the Firepower models are this much of a clownshow, then I'm definitely open to suggestions.
|
# ? Nov 21, 2022 22:13 |
|
Thanks Ants posted:Most Cisco stuff relating to firewalls is fairly poo poo, and people put up with it at work. You don't deserve to voluntarily inflict it on your home life.
|
# ? Nov 21, 2022 22:18 |
|
fatman1683 posted:That definitely does not sound like a good time, I appreciate the input. If you're home labbing then look at an Opnsense appliance. Or run TNSR or RouterOS on your own hardware.
|
# ? Nov 21, 2022 22:30 |
|
Thanks Ants posted:If you're home labbing then look at an Opnsense appliance. Or run TNSR or RouterOS on your own hardware. Thanks, I used pfSense years ago and it looks like Opnsense has come along way. I'll start digging around in that ecosystem. Thanks for the advice!
|
# ? Nov 21, 2022 23:56 |
|
does asdm still require java 6? ASA products are trash. buy actually anything else. I'd whitebox pfsense or something in production before I ever use an ASA again. but the real answer is just buy a fortigate
|
# ? Nov 22, 2022 03:12 |
|
Methanar posted:but the real answer is just buy a fortigate Would the Fortigate SD-WAN implementation be a suitable substitute for an old-school site-to-site VPN? I'm not all that familiar with software-defined networking in general.
|
# ? Nov 22, 2022 04:12 |
|
fatman1683 posted:Would the Fortigate SD-WAN implementation be a suitable substitute for an old-school site-to-site VPN? I'm not all that familiar with software-defined networking in general. FortiGate can still do traditional policy and interface mode IPsec tunnels without SD-WAN or OCVPN.
|
# ? Nov 22, 2022 05:34 |
|
Pile Of Garbage posted:FortiGate can still do traditional policy and interface mode IPsec tunnels without SD-WAN or OCVPN. Ok thanks!
|
# ? Nov 22, 2022 19:40 |
|
FTD is probably still bad but the terrible version (around 6.2 I think) is where the main bad rep came from iirc, it was a terrible merger of ASA and SourceFire code bases and also needed to preserve compatibility with ASA appliances augmented with an FP module, which was the worst of all worlds. They've done a lot to improve it since, and mainly went from 6.x to 7 in an attempt to get rid of the bad name. Appliances are now also FTD only, ASA is over and most features FTD was missing compared to it should now have been implemented natively. Whatever is still missing, e.g. WebVPN, is just not coming back. Was wondering, why does Check Point hardly ever come up in FW discussions? The vibe I get from them as a company is similar to Cisco; been around for a long time and not as agile in their main business, but still a solid option. What disqualifies them? Leandros fucked around with this message at 13:32 on Nov 25, 2022 |
# ? Nov 25, 2022 13:27 |
|
Checkpoint sucks too. Palo or fortinet only gang
|
# ? Nov 25, 2022 14:11 |
|
They're expensive and I found basically everything they do to be worse in comparison to Palo Alto. I don't know if it annoys anyone else, but they went all in on this 'policy layer' setup that's incredibly cumbersome and is different from every other firewall. If you wanted to do application/URL filtering, you'd have to have a policy on one layer that allowed port 443 to any destination, then other policies on another layer to do the app/URL filtering. They were different rule sets in the UI. They only just started to unpick that to allow a typical policy setup. We also had random things go wrong with them, and the deployment had been setup by their number one support partner in Europe, who were basically useless. The entire deployment was overly complicated and seemed like it only served to sell twice as many VMs as was needed. It was like someone had looked at the Azure cloud adoption framework diagrams and had no idea how any of it was supposed to be piece together, just that there was 4 VMs.
|
# ? Nov 25, 2022 14:37 |
|
Sepist posted:Checkpoint sucks too. Palo or fortinet only gang Checkpoints are infuriating that they don't separate management plane from data plane. Methanar posted:does asdm still require java 6? LONG LIVE ASA CLI -- Any sort of GUI management is rear end, though. At least they have an option for ASDM that bundles OpenJDK in the file. Prescription Combs fucked around with this message at 23:39 on Nov 25, 2022 |
# ? Nov 25, 2022 23:17 |
|
Someone tried to get me to buy Watchguards and seemed upset when they demo'd it with a Windows management app and I laughed at them. I wonder if you still have to install software to configure them.
|
# ? Nov 25, 2022 23:19 |
|
Thanks Ants posted:Someone tried to get me to buy Watchguards and seemed upset when they demo'd it with a Windows management app and I laughed at them. I wonder if you still have to install software to configure them.
|
# ? Nov 26, 2022 00:51 |
|
Sepist posted:Checkpoint sucks too. Palo or fortinet only gang uhhhhahhhhohahhh posted:They're expensive and I found basically everything they do to be worse in comparison to Palo Alto. I don't know if it annoys anyone else, but they went all in on this 'policy layer' setup that's incredibly cumbersome and is different from every other firewall. If you wanted to do application/URL filtering, you'd have to have a policy on one layer that allowed port 443 to any destination, then other policies on another layer to do the app/URL filtering. They were different rule sets in the UI. They only just started to unpick that to allow a typical policy setup. Prescription Combs posted:Checkpoints are infuriating that they don't separate management plane from data plane. Agreed with all of these. Previously I'd only heard in whispers the agonies involved with Check Points but since June I've been responsible for a small environment with 2x6400s at a DC and 2x5200s at a branch and it's been a never-ending nightmare. As someone who has been doing Fortinet for the last decade being exposed to the Check Point way of doing things was a massive shock. The fact that the devices on their own are essentially useless without a management appliance is obscene. As mentioned the manner in which different security functions ("blades") are abstracted is insanely obtuse and littered with caveats (Encountering a tooltip in SmartConsole that references a KB article is far from uncommon). And holy poo poo the price is obscene! We're in the process of renewing support and services for our tiny setup of just four gateways and to get one years worth with only 8x5 support cost us AUD$80k! Admittedly I've not seen Fortinet quotes for a similar renewal but for my single FortiGate 60F and FortiAP 231F at home renewing FortiGuard and support for one year cost me just AUD$2k (That's with 24x7 support as well, Fortinet don't really do 8x5 any more). The penalty for not renewing services licenses means that blades will be straight up disabled so you lose security features. Compared to Fortinet licensing where device features are perpetual and you only pay for FortiGuard (AV/IPS/etc. updates) and support it's just crazy. In the 5 months that I've been supporting this environment I've seen more obtuse bizarre issues than I've seen in years with Fortinet. So many that I've forgotten most of them and can only remember the most recent one: clients unable to access cve.mitre.org, HTTP 200 but the response body only has an insanely obtuse error message from the gateway (So obtuse it appears to be one from a common library as Googling gives results for F5 and other devices). This only happens with Chome. IE11 works fine. The only possible convenience of Check Point is having centralised object definitions but ofc that's been available for Fortinet via either FortiManager or just with Security Fabric object sync. And last of all Check Point is a cyber security company based in Tel Aviv so it's highly likely that they're complicit in Israel's apartheid against Palestinians. So yeah, never buy Check Point just get Fortinet or Palo Alto (I've only ever seen Panorama which looks pretty good, never used Palo Alto devices but people say good things).
|
# ? Nov 28, 2022 12:46 |
|
Helping deploy 4 data centers for a client and they chose Checkpoint devices for the firewalls. They aren't even using them for NGFW and have Cisco FTD's running on SPAN sessions for IDS. Should have just run Firepower firewalls running ASA code.
|
# ? Nov 28, 2022 17:36 |
|
Prescription Combs posted:Helping deploy 4 data centers for a client and they chose Checkpoint devices for the firewalls. They aren't even using them for NGFW and have Cisco FTD's running on SPAN sessions for IDS. Should have just run Firepower firewalls running ASA code. lmao that's amazing except no Firepower no thanks :P
|
# ? Nov 28, 2022 17:45 |
|
That's a technology stack you deploy if you're trying to get someone to quit their job
|
# ? Nov 28, 2022 18:20 |
|
Thanks Ants posted:That's a technology stack you deploy if you're trying to get someone to quit their job I've seriously considered it.
|
# ? Nov 28, 2022 19:12 |
|
All good points to know. I wouldn't have suspected that the core business of a company could go off the rails that badly in terms of usability. As for the stuff about Palestinians, I wouldn't know what vendor to choose if that were a serious concern. I've been told the ISR4461 was made specifically for aircraft carriers, and I've seen ESS3300 use case slides that were mostly military.
|
# ? Nov 29, 2022 13:02 |
|
Super basic questions about DHCP snooping that I'm slightly embarrassed to ask. My main goal here is to prevent rogue DHCP servers from interfering, less as a security concern and more along the lines of preventing operational problems from non-technical staff plugging in unauthorized devices. Cisco's documentation is, as usual, not great. First question, I guess, is: is this the right tool for the job? It seems like it is. I know DHCP snooping is often deployed with DAI, but I don't think I actually need that for my purposes. I watched a video about the configuration process, and it seemed straightforward enough, but I have a slightly more involved setup than their example. I have a whole mess of sites, and generally each site has an on-premise DHCP server (separate from the network hardware) that serves as the primary, with a secondary one in an off-site datacenter as a fallback in case the on-prem box dies. I just have the one WAN uplink for my site routing devices; the on-premise server has teamed NICs, but the switchports themselves aren't port-channeled or anything. From the routing device it's generally a hub-and-spoke topology. These sites carry end-user traffic, these aren't datacenter networks or anything. The networks in question are running on Cisco hardware. I know I need to enable DHCP snooping globally and on the VLANs in use, and if the video I watched was to be believed, I also need to specifically disable insertion of Option 82 or else it will be enabled by default: code:
code:
code:
EDIT: Wait, is there any point to configuring it on the routing device? I think just configuring it on the access-layer switches would be enough. guppy fucked around with this message at 02:19 on Jan 7, 2023 |
# ? Jan 7, 2023 01:50 |
|
Configure it on the switches where somebody could potentially plug in a home router backwards. You can configure one switch and see if things are working before rolling out to more of them. If everything is functioning you should have devices getting DHCP leases still and showing up in the DHCP snooping stats. Final test could be to activate a DHCP server on a laptop or whatever and see the packets get dropped.
|
# ? Jan 7, 2023 10:39 |
|
Oh, I remember why I thought I needed it on the routing device. It's a little hard to explain, but there's gear that we don't control that connects to our network at our routing device and we've had issues with that gear trying to serve DHCP. We've been isolating their stuff on to its own VLAN as well, but it takes a lot of time to get changes through on their side (and, frankly, on our own side as well). So I think I am going to need to enable it there too and trust only my own links to the DHCP server and the WAN uplink. Otherwise the rogue offers are just going to get distributed through the now-trusted links to the access switches.
|
# ? Jan 7, 2023 12:22 |
|
Why would your router relay DHCP messages like that? It should only be configured to relay from your DHCP server and nothing else right?
|
# ? Jan 7, 2023 13:05 |
|
I presume "routing device" means an L3 core switch or similar
|
# ? Jan 7, 2023 13:40 |
|
Yes, exactly.
|
# ? Jan 8, 2023 00:36 |
|
Is using VLANs over 1000 still a thing to avoid? Anything Cisco to Cisco I've not seen any problem with it for a while, but the clients we connect to just grab whatever catches their eye and I have no idea how common SOHO stuff is for not supporting higher vlan numbers.
|
# ? Jan 31, 2023 17:37 |
|
Not since Cisco started supporting dot1q standards like 20+ years ago. Before that their proprietary ISL only supported 1k.
|
# ? Jan 31, 2023 20:11 |
|
Is it possible that the VLAN ID around 1000 is being confused with the VLANs that Cisco kit would use internally for FDDI and things like that?
|
# ? Jan 31, 2023 20:15 |
|
Slickdrac posted:Is using VLANs over 1000 still a thing to avoid? Anything Cisco to Cisco I've not seen any problem with it for a while, but the clients we connect to just grab whatever catches their eye and I have no idea how common SOHO stuff is for not supporting higher vlan numbers.
|
# ? Jan 31, 2023 20:24 |
|
I have been tasked with having student workers on their down time “test” the wireless network in buildings where residents are complaining of poor service. I already know that the request sounds silly because of the vagueness of what testing means and basically doing the vendors job for them but I was hoping goons might shed some light on any technology that would be helpful to show student workers how to use besides sending them around aimlessly with Netflix playing on a laptop and what results may be somewhat actually useful to a vendor. I have access to plenty of pc’s, iPads, a few MacBooks, but am very short on androids.
|
# ? Feb 8, 2023 05:26 |
|
Budget Dracula posted:I have access to plenty of pc’s, iPads, a few MacBooks, but am very short on androids. The cheap (free) and dirty recommendation was going to be running WiFi analyzer in android but there isn’t a iOS/macOS version afaik. Could run an app on windows 11 that’s available from the amazon App Store. Bluestack might work for windows 10 and mac?
|
# ? Feb 8, 2023 06:03 |
|
Ubiquiti's WiFiman has both IOS and Android versions and allows you to do speed tests and live channel monitoring/signal strength tests. I think Wavemon works pretty well for Linux and you can use InSSIDer on Windows if you make a free account, but I don't know anything for OSX or cross-platform. To start out, I would want to figure out if the WLANs being used have good signal strength in the problem areas and if there are any APs running the same channels close enough to interfere with each other. I think WiFiman at least might also have the ability to detect how many other clients there are and that could help figure out if there's a problem with density being too high. If you rule all of that out, I'd dig further into testing the specific application reported to have issues and maybe go back to the vendor for further recommendations. Eletriarnation fucked around with this message at 07:40 on Feb 8, 2023 |
# ? Feb 8, 2023 07:37 |
|
The Ubiquiti Wifiman Wizard if you can find it looks cheap enough to equip student workers work to have some sort of consistency to the radio being used to do these surveys.
|
# ? Feb 8, 2023 08:29 |
|
If you have some cashish - https://www.amazon.com/NETSCOUT-AIRCHECK-G2-Wireless-Tester-Wi-Fi/dp/B079W6DHZZ I have used the G1 a bunch , which isn’t as equipped but took enough measurements. Rogues sometimes are a problem , but most of the time it was coverage in the back corner of a room where a student wants to perch and use their laptop like a cat . Doesn’t help for client specific issues but it is consistent when surveying which is important. Speed tests don’t really tell you much other than the speed you get on that one device where you are at the time .
|
# ? Feb 8, 2023 12:56 |
|
|
# ? May 28, 2024 03:41 |
|
Partycat posted:If you have some cashish - https://www.amazon.com/NETSCOUT-AIRCHECK-G2-Wireless-Tester-Wi-Fi/dp/B079W6DHZZ Oh man I wish lol, all great ideas for us to do at least something but yeah this brings me back to the days of listening to dialup customers using speed test sites to complain they are not getting that full 56k speeds they pay for.
|
# ? Feb 8, 2023 15:00 |