- Welcome to Networking-Forums.com.
We're Here to Help!
Recent posts
#31
Information/Announcements / Re: OUTAGE REPORTS
Last post by deanwebb - June 26, 2024, 10:57:56 AMSSL cert issue resolved.
By jing, that was lickety-split quick!
By jing, that was lickety-split quick!
#32
Information/Announcements / Re: OUTAGE REPORTS
Last post by deanwebb - June 26, 2024, 08:59:12 AMSSL Cert expired on 23 June and it should have been 23 August. Contacted support regarding the issue, should get a new cert soon.
#33
Routing and Switching / Spine/Leaf for the Enterprise
Last post by deanwebb - June 24, 2024, 09:21:15 PMHad a discussion about the suitability of spine/leaf for enterprise networks and I was surprised to see there being actual vendors with products for wall-to-wall spine/leaf. Others tend to emphasize traditional switching for environments outside the data center, so I'm wondering... does spine/leaf make sense outside the data center?
And there are security concerns for all the products that need to do full packet capture and deep packet inspection... how would they accomplish that in a full mesh environment?
And there are security concerns for all the products that need to do full packet capture and deep packet inspection... how would they accomplish that in a full mesh environment?
#34
Security / Re: NAC VDI inspection issues
Last post by deanwebb - June 21, 2024, 10:01:05 AMSSH keys are awesome, best way to manage Linux boxes.
As for tuning the behavior, no... best I've had is to either disable the feature or get it to where it works 100%, clean and smooth.
This is why I also insist on as few AD accounts in the HPS as possible. Having multiple accounts means all of them get tried when one doesn't work, and the AD servers can get swamped with requests in a short period of time if there are enough accounts and one of domain's controllers are offline. Needs to be a large deployment for that to hit a critical mass, but it can and will. Go with a single, top-level domain account so that when it fails, it fails just the once and there's no other accounts to try. Much preferable than trying 10 (!) accounts that *all* fail over nearly 100K Windows boxes.
As for tuning the behavior, no... best I've had is to either disable the feature or get it to where it works 100%, clean and smooth.
This is why I also insist on as few AD accounts in the HPS as possible. Having multiple accounts means all of them get tried when one doesn't work, and the AD servers can get swamped with requests in a short period of time if there are enough accounts and one of domain's controllers are offline. Needs to be a large deployment for that to hit a critical mass, but it can and will. Go with a single, top-level domain account so that when it fails, it fails just the once and there's no other accounts to try. Much preferable than trying 10 (!) accounts that *all* fail over nearly 100K Windows boxes.
#35
Routing and Switching / Re: Switches incorrectly loadi...
Last post by deanwebb - June 21, 2024, 09:39:48 AMIndeed. I just have to be careful not to ask the question here before I look for an answer, as one of the top search results will be my post asking the question here.
#36
Routing and Switching / Re: Switches incorrectly loadi...
Last post by config t - June 20, 2024, 05:40:56 PMI love it when a thread from the forum(s) helps me fix a problem
#37
Security / Re: NAC VDI inspection issues
Last post by config t - June 20, 2024, 05:40:01 PMI'm moving current customer to that state. Although the latest best practice I read for Linux recommended SSH keys.
Btw used that analogy today and the previous lead got a kick out of it. I'm going to start doing that in meetings.
Is there a way to tune that behavior? There has to be a configuration file somewhere buried in the directory where the retries are set.
Btw used that analogy today and the previous lead got a kick out of it. I'm going to start doing that in meetings.
Is there a way to tune that behavior? There has to be a configuration file somewhere buried in the directory where the retries are set.
#38
Security / Re: NAC VDI inspection issues
Last post by deanwebb - June 19, 2024, 07:44:58 AMI know customers that are 100% agent and 0% agentless because they don't want *any* extra accounts knocking on doors, an architecture I can respect.
#39
Security / Re: NAC VDI inspection issues
Last post by config t - June 18, 2024, 03:48:13 PMI'm stealing that analogy.
We pushed the agent to a few test machines
So far it looks promising and gives me ammo for moving it to production quickly.
We pushed the agent to a few test machines
So far it looks promising and gives me ammo for moving it to production quickly.
#40
Security / Re: NAC VDI inspection issues
Last post by deanwebb - June 16, 2024, 08:28:02 AMYes, Forescout will hammer with retries. Like a golden retriever going at Venetian blinds after you step out to get the mail because he is the bestest boy and KNOWS that if he keeps tearing down the blinds (and the furniture next), you eventually WILL come back through the door.
This is why I like the agent better.
This is why I like the agent better.