|
Anyone deploying Versa? So far liking it a lot.
|
# ¿ Sep 24, 2021 22:36 |
|
|
# ¿ May 6, 2024 09:25 |
|
Seems very capable so far but very geared towards ISP/Telco/MSP space. Very complicated deployment but ticks what feels like every box, if you can work out how to get a configuration deployed. We're in PoC phase for some customers and replacing leased lines with it where it makes sense.
|
# ¿ Oct 12, 2021 14:23 |
|
If you got meraki in your network I feel bad for you son, I got 99 problems but meraki ain't one.
|
# ¿ Nov 12, 2021 04:13 |
|
GreenNight posted:Or just put in 2 PSU's and save alot of work setting up HA and buying a second firewall. And sell less firewalls and licenses? No... I don't think we'll be doing that.
|
# ¿ Dec 13, 2021 23:13 |
|
On another note our Versa roll-out is going fairly well but multitenancy is a mindfuck in terms of configuring different elements in the right one. Also documentation is kinda poor and often you get better answers from the Juniper docs.
|
# ¿ Dec 14, 2021 00:25 |
|
I think Mikrotik supports wireguard if that's an option st the remote sites? If the SRXs are already in place then I dunno.
|
# ¿ Jan 26, 2022 01:14 |
|
The big vendors will be the last to implement wireguard support and it'll probably be not supported on old gear. I just run wireguard on Linux behind a Fortigate myself but this is kind of the reverse of what you want.
|
# ¿ Jan 26, 2022 01:34 |
|
Along the same line, are you sure they're routing the the fw subnet to the isr address .50 or did they provide two /30s for redundant equipment attached to the NTE?
|
# ¿ May 25, 2022 13:29 |
|
Why would your router relay DHCP messages like that? It should only be configured to relay from your DHCP server and nothing else right?
|
# ¿ Jan 7, 2023 13:05 |
|
My favourite meraki shitness was their routers didn't support vlan subinterfaces for WAN interfaces, dunno if they ever added that but ended up having to add switches in front of them to get it working a long time ago.
|
# ¿ Jan 11, 2024 00:14 |
|
falz posted:It's fortigate (firewall) 600e/1000d/etc. You quoted from the FMG/FAZ manual not FGT.
|
# ¿ Jan 28, 2024 22:47 |
|
It's probably not enterprise enough or too janky but for lab access I use Apache Guacamole to sit in between the RDP hosts and the clients which provides a seperate auth mechanism so your end users aren't directly logging in with RDP credentials, and use users/groups to control what RDP hosts they have access to. Guacamole will use internally known credentials to automatically log into the chosen RDP host. This runs in a browser, so you still need a the FortiVPN client to connect via the Fortigate (IPSEC/SSL mode doesn't really matter much), and then fire wall down access to only the Guacamole web interface. I guess the other benefit is they can have a browser bookmark to gain access once they're on the VPN and you could stick Guacamole in some kind of DMZ to further limit access where it can only hit the RDP hosts via the Forti firewall as well. Downside is you need a server to run Guac on. It's kind of a poor man's half assed secure remote access setup.
|
# ¿ Mar 29, 2024 03:02 |
|
|
# ¿ May 6, 2024 09:25 |
|
Comedy answer: just expose guacamole to the internet. It's a rabbit whole you can go down into reverse proxies, SSL certs and some kind of SSO but I'd say a dialup client is still the simplest method. I think FortiWeb or whatever it's called does all this if you wanted to stick to a vendor solution.
|
# ¿ Mar 29, 2024 05:42 |