About CZaloba

Threat ID - 37144    Question or insight about Microsoft practices with not hardening against poodle.   Why am I still getting alerts for these vulnerabilities, is it because I don't have proper SSL forward proxy yet enabled? Or is it because my Office 365 tenancy is hosted out of UK which is often 5 steps backwards in ramping up and fixing vulns? I have been outside the sysadmin wintel space for nearly a decade is there a tenant setting that my teams operaters can do to ensure Crypto at the TLS level is greater than 1.0 ? Maybe its that way since TLS 1.0 is very popular interms of the footprint of devices in that region of the world, who knows.   Thoughts,   I mean really - CVE-2014-8730   since 2014   ... View more

I wanted to get a consensus from the community how do you design the firewall architecture to procure updates on the hourly, quarter hourly frequency nessistated by Next Gen firewalls.    Do you deploy a bastion host which panorama can reach out and get the updates and trickle them down on a schedule?   Do you provide in dataplane (edge firewall) upgrade capabilities thru security rules for firewalls, as well as let Panorama assist?   Personally I rely on both, as I have had several issues with panorama syncing or loosing connection with adopted management device in device groups.  ... View more

I have an issue where we have mulit-VRs in place 1) default and 2nd) VR that is utilized for DMZ and untrust routes   Both VR's share a common zone name "public" for example.    I have issues routing where for instance I have my internal network segments in the VR's FIB's and my routed networks fail to return back through the correct interfaces.    I have a need for select internal subnets but RFC 1918 and Public routed ranges reaching into into the DMZ for administrating a Server.    The security policy logic is in place and sound transit zone VR default > public zone (VR Untrust/DMZ)  with applications ssh,ssh-tunnel.    This DMZ server also has restricted subnets from Public zone to allow Untrust traffic to server.    Issue my my server works from untrust perspective, however if my more trusted zones access the server in the DMZ I don't get traffic there.    Server is a Virtualized we got it to route properly once we added a second v-nic to the host server and had the server administrator add static routes pointing out a different gateway which lays in the VR default.    I am hoping as we build and scale this network edge / dmz services over the internet that we don't have to apply host routing and allow OSPF to take place and advertise into both respected Virtual Routers.    Still working with TAC on this.  ... View more