So, let’s assume that you are in an international company and the first and only security person. What are your first steps and projects? It is like really vague, but I’d assume like a SIEM, inventory of the network and all devices, backup situation, maybe even honeypots?

What are your high-prio things that every company should have? Is there even a framework for it?

Feeling kinda lost and I hope you get some guidance in the right direction.

Testing a few CTF platforms to learn more about pentesting. It is interesting, but the learning curve is quite steep.

Same here

Currently using HedgeDoc for taking notes, but it is lacking some features, so I am trying to find and host some alternatives and compare them. And I hope I can find some time to play with my Flipper Zero…

Does fortigate not have a form of DMVPN like Cisco?

ADVPN (Auto-discovery VPN) seems to be the equivalent. https://docs.fortinet.com/document/fortimanager/7.2.0/single-datacenter-for-enterprise/282533/advpn

Just curious why ISP/third party MPLS? Purely interest.

I guess it was easier at some point? - Taht was way before my time there. But we are going to replace the MPLS part with simple internet-breakout points on location and the the rest with SDWAN.

Also, did you find this purely from user complaining or have monitoring tool?

Purely from users complaining and other departments getting frustrated about why their stuff was not working (e.g. Citrix). The new FW had to be installed in a short time and ‘everything’ worked fine at first. Problems only occurred after some load was put on the network. We failed - as in network dep - by NOT doing a stress/limit test of the network and finding this problem immediately, and NOT implementing some kind of monitoring that would have notified us of all those lost packets and connections. We caught up, but we should have done it in the first place, because it is necessary.

I’m assuming using third party was supposed to offload the work/config from you?

Do you mean the ISP/MPLS provider? - If so, not really.

I want to get into Ansible and I am building a testing env for it - home lab with various switches and routers, Fortinet, Palo, and a proxmox host server and some remote VPS. One of my goals for Q1 '24. Today I am going to prep the switches.

Besides that, I want to host my own NFTY server and I hope that I can get it online within this week.

I am currently transitioning into a Security role at work. One question would be: what are the must-have tools for every blue team?

• Vuln-Scanner
• Logging/ SIEM-Server
• …

Learning things about Wireguard and implement it to secure my internet facing servers.

Yeah, after more testing, we can say that the second IPStunnel was the issue. Re-worked the route over a single tunnel and the whole 100 Mbps are available again. Users are happy, I am happy. Even tho a little bit frustrating.

Thank you for your input!

Ping - Update 2 @Avian_Carrier@infosec.pub @jharrison@infosec.pub @SgtKetchup@infosec.pub

Ping - Update 3 @Avian_Carrier@infosec.pub @jharrison@infosec.pub @SgtKetchup@infosec.pub

Yeah, notifications are really unreliable here. I’ve got another window for more stress test today. Going to post update later, or tomorrow. Focus on MTU/MSS

Ping - Update 2 @Avian_Carrier@infosec.pub @jharrison@infosec.pub @SgtKetchup@infosec.pub

I hope it is ok to ping you.

Not sure on the logging. I’m a data center guy and would rather see firewalls in the trash lol. They usually just cause problems.

Haha - I’d like to disagree, but you are right.

For the WAN, surely there is some way you can reach those sites over the general internet. You have ISP connections.

I for sure could do it, but it is not that easy to expose a server to the internet. There would be multiple departments involved and I need to get permission. And yeah, even with IP whitelisting. I guess that will be my last resort.

Still waiting for the test clients. Probably going to shift some hours into the weekend so I don’t disturb daily business.

No worries, thank you for your input!

4. what logging/debugging would you activate for that case? - Not too familiar with Fortigate yet and would appreciate some tipps, IF you are familiar with those.
5. the IPSec tunnel is the only connection between these locations so it is rather difficult. But I get what you mean and check if there is another option.

Good points!

You are right. Still an active policy that we have to work on.

I am certain that we block ICMP on multiple FW in between. I could allow it temporary and check. Good suggestion.