Fortigate nooooo

[Simon Wright]

Has anyone else's fortigate just carked it this evening? 

Just about to go home and the internet died.

Fortigate has a power led and the 3 leads up by the logo, but no lights on the network connections. 

No connection to the ont.

Have power cycled it but no change.

Of course help desk is closed, but have sent an email.

It's going to be a fun morning, especially being we have open night tomorrow. 

Simon.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Clayton Hubbard]

Escalated, so let’s see if we can get that online soon. Ops teams will pick it up and be in contact.

Regards,

Clayton Hubbard
Head of Architecture

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9qi78jiZkVqAEgWZdsz2j6FFj7hok5jz-sD%3DhC3QKrNkQ%40mail.gmail.com.

This email, including attachments, may contain information which is confidential or privileged material. If you are not the intended recipient, please notify us immediately and then delete this email from your system. Email communications are not secure and are not guaranteed by The Network for Learning to be free of unauthorised interference, error or virus. Anyone who communicates with us by email is taken to accept this risk. Anything in this email which does not relate to the official business of The Network for Learning is neither given nor endorsed by The Network for Learning.

[Simon Wright]

My bad....

"This maintenance will be carried out between 5pm and 11:59pm on 22/07 and we expect there to be an internet outage of 1 hour during this timeframe."

Should have added that to the calendar. 

Regards,

Simon Wright

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJAn3VYttL1oy_L6%2BzKeEg6ECREDBk1y2UTiCSUOp3SizR-GSg%40mail.gmail.com.

[Sue Way]

One of those heart stopping moments when stuff breaks.

Nice that it was just scheduled  maintenance.

Sue Way

[Simon Wright]

Not really,  because I didn't put it in my calendar I had forgot all about it, so ~15min after it went down i restarted the fortigate during the upgrade process....

As it's also doing our vlans, we have nothing today.

Setup a temp 4g router in admin area and patch reception phone into it. So admin have internet and can take a call.

We have a spark (intra?) engineer onsite connected in, they maybe able to get it going but I believe they are also sending a replacement from akl. 

Not a fun day, not fun at all.

Regards,

Simon Wright

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/5d36f914-84b8-457a-80b1-c900233c820fn%40googlegroups.com.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Craig Knights]

oh no, that's REALLY not fun.
CJK

> To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9qANavY4vfCU-hW4UJodkoD_jOovoEyMLMvGdpGzmw0hA%40mail.gmail.com.

[Simon Wright]

So we got back up around 9.30am but it fell over again just after 11, tech came back onsite and we are back up again....

While we are up and running, there is something fundamentally wrong with the device and we are getting sent a replacement. So it might be here tomorrow or more likely Friday.

On the phone with N4L to get the APs back online...

It wasn't my fault in the end, there were 46 schools updated last night and two of them failed, mine and one in Tauranga. Both had the same issue.

I'm going to be requesting an HA unit when we switch over to the Palo Alto box. It's a too big of a single point of failure having both internet firewall and core networking all on one box.

Regards,

Simon Wright

[Sue Way]

Goodluck on getting  an HA unit...

Back in the day when we used empty baked bean cans and string HA was much more simple.

I hope the interwebs are back up and running soon.

Regards

Sue Way

[Simon Wright]

Yeah, it's essentially just another unit PA-1410. N4L only allocate 1, so i know we are going to have to pay for it.

We aren't due for upgrade till March from what i've been told and they won't do HA at the time.

I've asked for a rough estimate on costs just so I can weigh things up and if affordable, put it in the budget for next year.

I can live without an HA as long as there is a spare held locally (Dunedin). Ideally there should be spare(s) held in all major regions, so down times aren't days but hours.

We are back up, just awaiting the arrival of the replacement unit. The APs took far too long to come back online.

Regards,

Simon Wright

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/7d11504f-7d7d-4be9-af6f-d18bc80e9a00n%40googlegroups.com.

[Rafal Janaszkiewicz]

I asked N4L about the hardware SLAs for Palo Alto.

Question - What are the hardware SLAs? If we have a fault with the firewall what can we expect in terms of support or replacement if required?

N4L Answer - For hardware fault/RMA, our target SLA is 8 support hours (8am-5pm Mon-Fri). We have spares housed in 8 locations across New Zealand, including Wellington, and on call field services support to deliver and install replacement hardware.

That might influence your decision around getting a second unit for HA.

Regards,

 

Rafal Janaszkiewicz

ICT Manager

Wellington High School

E-mail: Rafal.Jan...@whs.school.nz

DDI: 028 2550 8784

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9qpqdz%2BRZemBTD1FyZ81M19h0C_xmyBxkb1GmeNSsxqZQ%40mail.gmail.com.

[lfr...@jameshargest.school.nz]

Hi All

You don't have to have all of your L3 on the firewall. For onsite services it doesnt make a lot of sense to route everything to the firewall and back again. For majority egress traffic eg BYOD or VOIP it makes complete sense. 

However staff devices access local kamar it makes more sense to do L3 on the core switch. Not to mention the bottleneck this creates between core <> firewall. 

I have sucessfully negoiated this with N4L and they have agreed. We're doing L3 on our core for some services and some on the firewall. 

I agree we really do need two firewall devices in HA though. A starlink backup route would be nice too!

its hard to believe N4L are still using 1gb links in 2025.

[Simon Wright]

Thanks for the info Rafal and Landyn.

Yes, it maybe worth having the staff, server, printer networks routing on the core switch stack.

That was the big thing, not having access to kamar or printing. 

Regards,

Simon Wright

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/23039200-9347-4409-923f-306426fc8d87n%40googlegroups.com.

[Pete Mundy]

Just make sure you get DHCP migrated to the core too (or elsewhere)! It's not much use having working inter-VLAN routing if the nodes all lose their addresses :)

Pete

[Simon Wright]

Haha, true!

Regards,

Simon Wright

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy5xYwfcQCpzOTTAahYFbrQ%2BH8kfrrcTQpxzLZrXoB_Xzw%40mail.gmail.com.

[Jeffrey B]

Thanks for the update on that, will have to look into it as speed for my moved schools with local gear has been awful through the firewall. Will begin negotiations to get it moved.  Hopefully its quicker than the month and a half it took to upgrade the single gigabit link from the fortigate to a lacp trunk.

---

From: 'lfr...@jameshargest.school.nz' via Techies for schools <techies-f...@googlegroups.com>
Sent: Thursday, July 24, 2025 9:51:40 AM
To: Techies for schools <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] Fortigate nooooo

 

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/23039200-9347-4409-923f-306426fc8d87n%40googlegroups.com.

[Matt Strickland]

We haven't had equipment replacement yet, but is there a L3 core in all designs? (or only large schools?)

I just had a feeling for our upgrade next year everything was replaced with L2 and all L3 only in the firewall which doesn't make sense for the bulk of internal traffic. (Maybe in 5+ years with little/no services on site) There's no redundant PSU in our PA either. I've only lost one switch PSU in 10+ years however.

Matt

[Pete Mundy]

The latest one I've seen is 7150 switches across the board and I'm pretty sure all of those can do base layer-III. But whether it's wirespeed is another story; I couldn't see anything conclusive in the datasheet:

https://webresources.commscope.com/download/assets/Ruckus+ICX+7150+Switch+Data+Sheet/b013d23e3bd511f0a7293e67199c332c

[Simon Wright]

Our central stack consists of 7150 switches, two 48ZP (fibre aggregation), and one 48P.

Believe the ZP's should be more than capable...

Regards,

Simon Wright

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy6MHUPzRx_wNdzP9A56n3qhL4%2BZ7_P0Z4QmOctX9xEyPg%40mail.gmail.com.

[Dion McGovern-Allen]

I know I'm late to the party on this.

Yep its interesting the choice of using a firewall as a router.
Yes it can do it but primarily its job is to be the wall of defense screening traffic for all those gremlins that hide in them.
As you say, having the core switch do it means that the local network can stay functional in times of outage!

It also means that it chokes the bandwidth between our server VLAN and the rest of the VLANs at the school.
10Gbit connections to the hosts doesn't mean much when it goes via a 1Gbit connection!
Especially when the internet is also 1Gbit and has to share!
At least now after the equipment replacement, its now a 2Gbit aggregate connection!

With a bit of luck N4L won't be too far away from getting Spark to replace the ONTs with the Nokia Hyperfibre ones.
I've got a 2Gbit connection at home for $130 a month!

I assume that the Palo Alto replacement will have at least the capability of 10Gbit via an SFP+ or 10Gbit Ethernet port!
I wonder if there are any remaining equipment replacement schools remaining.
Would have been great to break into 6E and have that 6GHz network band opened up for users.
Will just have to wait for Wifi 7/8!

Off-topic, I wonder how many schools are blocking cellphone connections to WiFi as a result of that National policy banning cellphones!


Thanks,
Dion McGovern-Allen.

[Jonathan Churton]

2 Cents, 

We are using our Fortigate (soon to be P/A) for all inter-vlan traffic + firewalling (Dual 10SPF+ Uplinks to the core). We happily push 10Gbps+ through it all day internally, Imaging + App Deployment, etc. We did have to turn off the NP6 co-processor to do this. Attacks from within the network can be just as prevalent as from outside so servers are isolated from other traffic, and end devices are broken up into 6+ firewalled VLANs depending on their connection method and if they are managed by us.

We blocking cell phones on the WIFI. Originally this was via Freeradius + NPS (MSCHAPv2), using AD as a database for MAC addresses. I have built code to routinely pull data from Ruckus to detect users, device types, MAC's and store this in AD. This allowed me to also set up permanent and time-based exceptions based on a Google Form that Teachers can submit. We have substituted Freeradius for DHCP Deny Filters which are a lot more reliable and slow down the phone from disconnecting and reconnecting every 2 seconds. Everything else is the same. We even manage to detect phones that are hot-spoted through laptops to the school WIFI, and block their laptops as a consequence.

On a side note for anyone getting 2Gbps Hyper-Fibre. The ONT does not have any wall mountable hardware. There is a version that does, but that's for "Business / Priority Users". Schools are considered "Small Business" ¯\_(ツ)_/¯

Have fun 3D Printing a bracket.

Jonathan.

 

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/8636b2b3-b9f8-4e92-8538-88b2aadc164en%40googlegroups.com.

--

Jonathan Churton

Senior ICT Systems Engineer

Lighting and Sound Engineer

Wellington High School

Work: 02825508921 or Ext 887

[Simon Wright]

Yeah, when we got hyperfibre installed at our hostel, was surprised buy the giant nokia ONT and that it wasn't wall mountable.

Oddly enough, i never gave it much thought about the connection from the fortigate to the network...we have a 2x port lag. Things are pretty quick, i never really had much to complain about in terms of speed.

When we switch over to Palo Alto, I might enquire about doing a 10g DAC to the switch stack (maybe 2), coz why not.

Regards,

Simon Wright

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJQKwAWemvZFHWyUcYc-%2BW3WTOZnQTYj1MK3tO99EPa2MdzpTQ%40mail.gmail.com.