Changeover to Palo Alto Firewall

[Arnold Santos]

Hi guys,

Has anyone completed their changeover to N4L Palo Alto firewall already? I just wanted to know your experience and feedback. Thanks.

[Jonathan Churton]

We are in the same boat. Ours is scheduled for September.

On Thu, 17 Jul 2025 at 10:12, Arnold Santos <arnold...@arrowtown.school.nz> wrote:

Hi guys,

Has anyone completed their changeover to N4L Palo Alto firewall already? I just wanted to know your experience and feedback. Thanks.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/56a5d053-6112-4df2-ab00-fc038603cbfdn%40googlegroups.com.

--

Jonathan Churton

Senior ICT Systems Engineer

Lighting and Sound Engineer

Wellington High School

Work: 02825508921 or Ext 887

[Armand deVilliers]

I've gone through two schools with the changeover.  Been a real smooth process. Good supporting team at N4L with this project.

[Jeffrey Burke]

Good to hear, any local cache servers at either and any speed difference?

---

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> on behalf of Armand deVilliers <arm...@tepuke.school.nz>
Sent: Thursday, July 17, 2025 10:37:43 AM
To: Techies for schools <techies-f...@googlegroups.com>
Subject: [techies-for-schools] Re: Changeover to Palo Alto Firewall

 

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/872f21fa-8b20-4a20-9578-0738d3065434n%40googlegroups.com.

[Vern Dempster- Mahu]

Hi

Copying in my notes from a previous conversation about the change over

Since then we have found tela.co.nz blocked :-)  now unblocked

some more google gmail issues I am working on. 

previously whitelisted sites having to be re-whitelisted as we become aware of them which is annoying. I would have thought our whitelisted websites could have been carried over 

My Previous thoughts on the changeover

So we also have just completed the changeover in June. Here a a few things to think about for those still to have it happen

Once started it took a few mins for the pretest and brief 5-10 min outage while the changeover happened and a few minutes of the post test

However part of the post-testing conducted after the changeover to PaloAlto should have included a request for me to access an obscure website that I would not have visited before. 

This would have bypassed our local DNS and prevented access to the forwarded DNS, making the issue that all DNS requests were blocked by the PalAlto

This would only affect schools with a local DNS - if using N4L DNS then it is not an issue

Fixing the DNS issue took a short time once we reached the Tier 3 technician but that is another story

Also a Google issue appeared, where new lookups to GoogleClassroom would not work, while those with an existing connections continued to function. 

This was resolved by the Tier 3 technician quickly and efficiently and also needs to be part of the post test.

Additionally, check that all your  existing whitelisting has carried through e.g. Pinterest.

Also be aware of all services that rely on your external IP address as the IP address needs to be updated with the service provider

1. Adobe Shared Device: Permissions -> Egress IP

2. Herald: School Access to Premium Articles

3. Wheelers Login for the Library

4. Ancestry Classroom

5. Epic - Britannica

Ngā mihi nui

[Pete Mundy]

One of my schools migrated yesterday. I wasn't there but I visited them today and listened to the principal explain how it went.

They were expecting a 15 minute outage, but in the end internet was down just over 4 hours, phones were off all day, and school bells were off all day too. Phones (VoIP desk phones) are still unable to receive inbound calls this morning. They're having to divert to cell and do absentees manually.

Existing whitelist settings weren't migrated automatically.

Existing firewall bypass for certain outbound traffic wasn't migrated automatically.

Secure DNS (DoH) is now blocked.

VPN has been replaced with "Global Protect" software which is much more than VPN software (think more like global policy enforcement) so I'll be staying away from that and going back to pinholes.

Oh and the "CIE integration" work that occurred before migration date caused Wheelers to fail because N4L removed the Google cert Wheelers were relying on, and their new "security groups" in Google are all created as public (technician insisted!), meaning students can add themselves to the staff and remote_access group if they know how.

The principal felt it probably wasn't the smoothest migration, but he appreciates he doesn't have the experience of other schools to compare to.

Maybe this was smooth after all!

Pete

On Thu, 17 Jul 2025 at 10:12, Arnold Santos <arnold...@arrowtown.school.nz> wrote:

Hi guys,

Has anyone completed their changeover to N4L Palo Alto firewall already? I just wanted to know your experience and feedback. Thanks.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/56a5d053-6112-4df2-ab00-fc038603cbfdn%40googlegroups.com.

[Matt Strickland]

We changed this Tuesday, but unfortunately for us 1 day after the Ruckus console was disabled...

A few things I planned:

Asked for the new public IP and I added this to our A records the night before (told staff remote access would be down that night, and students no kamar portal since the API connection would be broken)

I whitelisted that IP into our trusted zones in O365 (for MFA etc)

I temporarily added internal FQDN root DNS zones to redirect to internal IP's (vs using hairpins in the fortigate) so when that was powered off, everything internally still worked.

Made space in the cabinet, added some cage-nuts and power cord location etc...

Our phones are on a separate port on the ONT so no issues there, our bells via the fire system so no issue there either.

Issues so far:

I needed to update the client isolation whitelist for the new mac address for the firewall but couldn't do this. I had N4L change this but it still didn't work, devices connected to WiFi & radius auth worked, but no gateway. Only solution at the moment is to turn off isolation which has other issues, N4L still working on this one.

Some? Whitelists were not copied over - its like the allowed pre-defined from a category were, but specific URL's were not (this one I'm a little surprised about)

As for speed it was almost identical - 866/498  vs 881/492  but this was a spark<->2 degrees vs 2degrees<->2degrees test.

It was mostly smooth other than the timing of the Ruckus console removal, with some other strange issues during the holidays and WiFi, the EAP-TLS network randomly stopped working at 2am one day?

Matt

On Thursday, 17 July 2025 at 10:12:15 UTC+12 arnold...@arrowtown.school.nz wrote:

[Vern Dempster]

ditto

Very surprised this didn't happen. ridiculous we have to wait till someone cant access a whitelisted site before we can fix it sorry get it fixed

Ngā mihi nui

Vern

On 17 Jul 2025, at 2:56 PM, 'Matt Strickland' via Techies for schools <techies-f...@googlegroups.com> wrote:

Some? Whitelists were not copied over - its like the allowed pre-defined from a category were, but specific URL's were not (this one I'm a little surprised about)

[Arnold Santos]

I'm just trying to grasp the concept of why having a Super Admin account role in Google Workspace for that n4lcie account if you just sync the user/group to Palo Alto wherein such task can be done using user and group admin and service admin in particular? Not happy to just give such account unless there is necessary. Tried asking them but no luck.

[Matt Strickland]

Same goes for Global Admin on the O365 side, tho this now set as an eligible assignment and no longer active post setup, so will require another admins approval again to be activate that role.

Not sure if that breaks identity post setup now that the enterprise app is active, but we are not secure access either so won't know for some time.

I'm the only VPN user. Just need to sort out how to per-configure our internal DNS server.

Matt

[Pete Mundy]

A haiku:

I conceded admin!
But can't even get guest pass gen...
New reality.

Didn't even need AI :)

[te...@whs.ac.nz]

Just had our changeover in the holidays.

What a terrible experience, and i hope no one else has the same dramas we had. N4L has some serious improvements that are required for these installs, and general use of the system going forward. I dont think schools should be accepting this.

Very poor on initial contact (i.e. no contact from N4L). We had some initial contact from the installer company, and i raised my concerns with them around the lack of contact from N4L team, and lack of detail with regards to what was actually going to happen. I expressed clearly that i was concerned that the install would not go well.

We were asked the same questions as with other changes - do we havecameras, alarms and so on. Why is this not documented somewhere? - we have to provide it so often.

I was advised that our IP would change. We have many IPs though (provisioned through N4L, so again, why was this not documented), and it was not until i queried where those were, that we got some more IPs allocated to us.

We were Advised of a 2-4 hour install period

The technician arrived on time, but did not appear to have my contact details

We were advised to make DNS/IP changes before/during the install. We made the changes an hour before the install.

The technician was then unable to any pre- testing beyond a speed test as all our services were offline.

Issues were encountered from the get go. I was not kept informed and basically running blind. I believe firmware updates were required on the unit, and could not be applied.
We left the school at 6pm - with no internet access, no remote access. Effectively unoperational.

Our existing fibre connection was killed before the new system was operational, and there was no way for us to roll back

The next day i was advised the technician had another "complex" school to attend (25 students). We are a school of ~1450.

We had to wait again until 11am for a technician to come from wellington.

Eventually, we thought we had everything working except our VOIP phones. We had to call our VOIP provider onsite, and finally, at 4pm we were "operational".

Nearly 2 days worth of outage.

- Now, we have a new filtering system (that we cannot see or manage). Websites that were previously available are now blocked, and there is no block page shown to users, just a ERR_CONNECTION_RESET response from the browser.

- We utilise "Vivi" as our screen mirroring solution. This is STILL not working fully. The N4L engineer advises they enabled casting, but have as yet not fully resolved the issue.
- The new MyN4L portal is useless, im sorry to say. It doesnt do anything except allow a form submission to unblock websites, and some useless, read only, generic overview of the switches/APs

Im really struggling to understand how these systems are "better", when the reality is that they are becomnig more and more overengineered and complex, and seem to take no regard for the school having a working system that can be managed internally without the need for raising tickets with an external provider to manage BASIC things, such as web filtering. Schools need to know what is happening within their own networks, and frankly, this is useless.

For any new installs, these firewall units should be coming preconfigured to a basic working state, out of the box. They should have all firmware updates applied before arriving onsite

To top it off, we now have no access to our wireless system, or ability to make changes to switches through the VSZ until whatever issue is currently occuring is resolved (and again we have no information on that).

I had a hunch this install would go poorly for us, and unfortunately, maybe i sealed our own fate by having this belief.

What a frustrating experience.

Sean

[Guy Ellingham]

Can you elaborate on this Matt. It sounds like we're going to be asked to supply 365 Global Admin(!) access to N4L. Is that for a service account to discover users and group memberships? Setup only or ongoing? Are any assurances being given about who will have access to this account's credentials and the limits of what it will be used for?

[Jonathan Churton]

FYI: These articles do exist in regards to setup. The only other supporting documents that can be found in regards to how the integration is used by the firewall are regarding the GlobalProtect VPN and the SSO Auth

https://support.n4l.co.nz/s/article/User-directory-integration-CIE-integration-Office365-Entra-ID

https://support.n4l.co.nz/s/article/User-directory-integration-CIE-integration-Google

VPN Articles.

https://support.n4l.co.nz/s/article/Installing-GlobalProtect-App-Apple-Mac

https://support.n4l.co.nz/s/article/Installing-GlobalProtect-Client-Microsoft-Windows

Surprisingly there aren't mention of connecting on-site AD servers to CIE, or using User-ID

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/user-id-overview

Jonathan.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/b5e52885-3ead-4581-8d61-564773284350n%40googlegroups.com.

[Adeel Soomro]

Sorry to hear of your experience Sean. It's important that we understand these issues with the upgrade so that we can help you and also ensure we do better in the future. Kent from our team will be in touch with you.

Regards,

Adeel Soomro

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/d134f776-233c-4d75-8132-34e805869f5bn%40googlegroups.com.

This email, including attachments, may contain information which is confidential or privileged material. If you are not the intended recipient, please notify us immediately and then delete this email from your system. Email communications are not secure and are not guaranteed by The Network for Learning to be free of unauthorised interference, error or virus. Anyone who communicates with us by email is taken to accept this risk. Anything in this email which does not relate to the official business of The Network for Learning is neither given nor endorsed by The Network for Learning.

[Adeel Soomro]

Hi all,

For those with upgrades coming up, or with questions around CIE integration, our engineering team will be reaching out to you individually as we near your migrations to clarify the details for you. 

We are also looking to add more detail re CIE integration to our FAQs on Support Hub soon.

Regards,

Adeel Soomro

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJQKwAX5ZE%2BpjpVqwx3X7Fa37mLwYceGAErcKaEn4Q1ATyG4Qw%40mail.gmail.com.

[Clayton Hubbard]

Hi Everyone,

As a senior leader at Network for Learning, I want to personally thank you for taking the time to provide your valuable feedback. Your insights are incredibly important and give us a huge opportunity to improve our processes and ensure we're meeting the needs of schools.

We know that implementing these changes is no small feat, it's a significant architectural shift, and our program is moving at a rapid pace to get schools onto the new security solution as quickly and safely as possible. Naturally, this has led to some challenges and bumps along the way, but please know that we're working diligently to address these and continuously improve as we move forward.

Again, I want to reiterate my sincere gratitude for your constructive feedback. It truly makes a huge difference, and I see it as a positive step toward our shared goals.

Thank you once again, and I hope you all have a wonderful weekend. We'll continue to do our utmost to improve the rollout.

Best regards,

Clayton Hubbard Head of Architecture The Network for Learning Ltd P 0800 LEARNING A Level 5, 8 Tangihua Street, Auckland Central, Auckland 1010 A PO Box 37118, Parnell, Auckland 1151

    

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAOLfa0%3DvMi1m6NXMxApTu4uW0xMh3DgME64ZpgUHR9cOSw8HBw%40mail.gmail.com.

[Mark Edwards]

Well no assurances and it's an external provider that will have the credentials ( I just create a new account then disable it afterwards)

Mark

[Mark Edwards]

This sounds like most of my experiences with N4L, unfortunately this is a massive moving train wreak that will stop for nothing and not listen schools unless the Principals start feeding back to the ministry about their experiences with N4L .... Centralized IT management for all schools is on the horizon.

[Arnold Santos]

Trying to grab the concept why having a Google Super Admin role under CIE integration if you're just syncing the users/group to Palo Alto, where user/group admin roles or service admin role will be sufficient to perform the task. Any thoughts on this?

[Armand deVilliers]

I’ve been through a couple of schools with the changeover.  Been real smooth.  Good team to support you through the day at N4L.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJQKwAXqLrAnarUcY2DOCSz966ru0i05ExN_afbnXwgrH0f7qw%40mail.gmail.com.

[Armand deVilliers]

no cache servers on our end anyway, but speed is same as the fortigate setup. 

[Arnold Santos]

Me again, I just wanted to share our experience to the changeover yesterday and some issues we've encountered. Pre-test goes well (as expected), once the changeover to the new router (Palo Alto), our wifi still up but most of the client can't connect, no IP address were being leased. Wired client is not affected. Client were using self-assigned IP address. DHCP service issues probably. We've used the router for all dhcp services on our vlan so this affect all wireless client. Issues pointed to the core switch (AT switch) and do a quick power cycle to fixed this. Took 1 1/2 hours to complete the whole work after the post-test. VPN remote user has to be added to work successfully. Early morning today, I've receive a call from a staff that our network is down! Need to be onsite and noticed the Palo Alto network ports doesn't have any activity. Called N4L first hand to escalate and check. ONT box is working fine. Need to power cycle the Palo Alto and there she goes... working again! Wonder if the core switch retain some ARP cache info.

[Vern Dempster- Mahu]

Hi

Whitelisting zoom. 

If your online learning students use zoom for their lessons, make sure N4L whitelists zoom for the student VLAN as It is 5 to 6 weeks on and an online student only alerted me this week that it wasn't available for them –not sure what our online students have been doing in the meantime .:-) 

We need a checklist that N4L asks at the time of changeover for the common things schools are already using to make sure this doesn't happen :-)

I think I have already listed the issues we had in our changeover that could have been avoided with an extensive checklist.

Ngā mihi nui

Vern

[Mark Edwards]

wow is all I can say, did anyone else feel like they were getting walked through a bank hacking session?

Way to go N4L you have out done yourself again securing your future with poorly planned, overcomplicated and unnecessary systems,  who's going to maintain these groups going forward? 

Principals are complaining about the internet\Wi-Fi issues afterwards, down time and poor communication and one has even ask if they can opt out of the CIE part 🤣🤣🤣....too late, that horse has bolted.

Some things to watch for are ACL\policies not being transitioned over from the fortigate, leaving services broken.

[Stephen Caustick]

My only question is, is it compulsory? Fortigate is being dropped completely.

I am not looking forward to this. I already regret moving to Secure Access.

Stephen Caustick

IT Technician

Hastings Boys' High School

(06) 8730365 ex 847

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/e1ad0b5f-2b7d-4384-9745-5d1542879ea5n%40googlegroups.com.

[Matt Strickland]

With the Fortigate's near end of order/end of new maintenance contracts I assume the SKU's also can't be renewed (from 13 October).

The switch to Palo Alto / 2Degrees probably came in at the best package; security vs cost.

Schools don't have to opt into Te Mana Tūhono but the $2.50 per student/year is very cheap just for the equipment you get, let alone licensing/support etc.

So I think its either all or nothing. The full package, Palo Alto, Hardware Upgrade, SA or opt out which would come at considerable cost.

Matt

[Pete Mundy]

(reference https://www.nzherald.co.nz/business/governments-giant-internet-security-upgrade-under-way-for-2500-schools/XNTJIKD5LZFFPHMG5VAHYEU2HU/ )

Also an interesting read:

https://www.stuff.co.nz/nz-news/350284113/no-merit-palo-alto-networks-insider-trading-allegations-sir-john-key-says

On Wed, 27 Aug 2025 at 18:06, 'Matt Strickland' via Techies for schools <techies-f...@googlegroups.com> wrote:

<snip>

[Sue Way]

We opted out of the Te Mana Tūhono as what I was seeing and the specs just gave me the shivers. Changing was going to put our network and Wifi infrastructure backwards.

We replaced our wired network a few years ago and it has warranty till 2032, 24 Hour RMA, due to the hardware I selected. Why would I got to a 3 year warranty. We don't have to wait to log a ticket if something goes wrong we just fix it. A network issue within the network is fixed before the period is finished. Anything Firewall I am not off the phone when the period finishes.

We still have the N4L Fortigate and have not been switched. We used to run our own and am seriously considering doing it again.

Sue Way | IT Services Director (she, her)

Te Kura Manawaroa o Pipitea | Wellington Girls' College

Pipitea Street, Thorndon, Wellington 6011  

[Mark Edwards]

Interesting Sue, I did wonder about your School....in the Far North principals find it hard to look past the "Free" sell (even though we can see it's costing millions for taxpayers).

It would be a hard sell to the management to change back to your own management of firewall considering all the N$L fearmongering that's going on plus also the "Free" internet service they provide.

As a taxpayer I find it frustrating but don't have any answers really, I just wish this over funded government owned company would communicate and fix issues within a targeted time frame rather than just trying to use the latest bleeding edge tech.

As a tech I'm constantly spending hours on a 10 minute job, rather than if I had the correct access or direct communication to someone I can understand or that knows\or has access to change things, hard to justify this to Schools when we have to bill them???

Kia pai tō rā

 

Mark Edwards

Need IT support? Check out what we offer 

IT Manager Far North Networks Far North New Zealand

M: 021 1252983 W:www.FarNorthNetworks.co.nz

--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/g0mcFch5MoQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/3b747134-af86-4a8e-b56d-8cf55a01e891n%40googlegroups.com.

[Sue Way]

HI Mark,

"As a tech I'm constantly spending hours on a 10 minute job" I am pretty sure most of the techs in this group have been stuck in the very same spot. I needed a website to work for a class recently and spent about 2 hours over 3 days with N4L help desk to get it sorted.. By the time  it was working the Class gave up and moved on, those teachable moments gone forever, not only frustrating for the techies but super frustrating for our students and teachers, the very people who the system is meant to work for.

I don't know where the answer lies. There are some amazingly capable Techs out there who are relegated to having to use level 1 help desk for simple tasks. Then there are the tasks a bit further up the scale of tecieness  where a techie would do it ourselves if we owned/controlled the hardware. There seems to be no middle ground. Even just to have enough access on the Firewall to create Reports would be super helpful.

Some schools have outsourced IT, others employ Technical Staff and others have a teacher who has interest in IT, All these require a different level of service but it seems we all have to go through the same gate. How to fix it? I have no idea. What does N4L do, no idea? We just have to go along with it because there is no option. It is one of those frustrating things of being tied in with the really really big organisation. 

Happy Friday everyone.

Sue Way | IT Services Director (she, her)

Te Kura Manawaroa o Pipitea | Wellington Girls' College

Pipitea Street, Thorndon, Wellington 6011 

[Brad Harris]

I agree 100% with these comments, N4L are just not very agile anymore, and I understand why this is, but they maybe need to have a back door for techs like us to get direct fixes or something, but there are operational issues with this in a large org...so im the same, not sure what the answer is, all I know is its hard when there's stuff to fix or open up etc.

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/5ab45a3a-44fb-4d3c-8234-d0fef8d07834n%40googlegroups.com.

[Keith Craig]

A suggestion for the N4L people who are lurking on this list: Based on the comments here, would it be possible to have a register of schools who have either capable techs onsite or have contracted tech support and then these people have direct accss to Level 2 support and also more access to make changes to the firewall themselves? This could allow them to bypass the “is it powered on?” or "Have you tried turning off and on again?” type questions. The N4L staff answering the questions will know that the person they are talking to knows what they are talking about and has done the basic troubleshooting. Can save time and frustration from both sides.

regards

Keith

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAB%2Bxm4-JTr_z_VVRKm71rogbHck3VnHK3-sf76WkUc3XFYnZ6w%40mail.gmail.com.

[Simon Wright]

Being that N4L will have full control over the Palo Alto boxes as they are now essentially their own isp backed by 2degrees (this is my understanding) as opposed to the fortigates which are managed by Spark, I'd say they are in a better position to allow better access for us.

I can understand why they wouldn't just give access, as to maintain the integrity of their systems. N4L have obviously done a lot of work to standardise their setups, naming conventions, vlans, policies, etc.. So for someone outside the organisation to come in and start changing things, could wind up with a big mess. I'd like to think the vast majority of us are more than capable of making changes where needed without 'destroying' any previous work or overly compromising the system.

There would likely have to be a signed agreement between the school and N4L and/or third-party (MSP/tech support company) and N4L to allow this ability with possibly a financial penalty against the school or third-party if there was a major stuff up caused by the school or third-party that required hours of N4Ls time to rectify.

And yes to Keith's comment on direct level 2 support.

Just my 2 cents.

Simon.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CF4B028C-229B-43EB-96A9-5267AA8E90E8%40gmail.com.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Sid Kumar]

Hey everyone,

The N4L lurkers are listening. And honestly, thank you for the feedback.

We hear the frustration. Loud and clear. Spending hours on a ten-minute job is soul-destroying. We get it.

This firewall upgrade is a massive job. A bit like changing the tyres on a moving bus. Not one or two, but over 2500 of them!

We know we don’t get everything right. Sometimes we’ll nail it. Sometimes we’ll trip over our own feet.

This is where you come in.

Your specific, constructive feedback is gold. Ideas like a trusted techs register or better reporting access are exactly the kinds of things we want to hear.

General rants? Not so helpful. They might feel good to write, but they don't help us fix the real issues.

We have service commitments we need to honour, BUT are in agreement that qualified access for skilled admin is important to remove friction. 

Some things we'll be able to do. Some things we won't, for reasons of security or the sanity of our engineers. We also can't yet promise a timeline, but we are working on providing more functionality and access.

As mentioned earlier in the thread, the changes give us a lot more flexibility, which then makes way towards the flexibility you need.

Let's work on this together.

Thanks,

Sid Kumar


Head of Product

The Network for Learning Ltd

[Julian Davison]

I love this idea, but...from an organisational perspective there would need to be some kind of formal process for vetting and verifying people to gain access. This is where all those exciting letter qualifications come from (CCNA et al) as an attempt to demonstrate that the person in question can actually be trusted with access to change things that can tank the entire system.

Anyone who has spent real time in IT already knows that even those accreditations don't actually translate into real-world assurances, which makes giving access to external folk fraught and typically dropped into the Too Hard basket.

The only effective solutions I've seen in my travels have all been the old fashioned get-the-contact-details-of-a-useful-person-and-go-direct. Which invariably involves the useful person providing those details unofficially, as the organisation has carefully planned out how work gets to these more senior personnel - and it's never based on the callers opinion of the priority of their task.

Hopefully N4L will be amongst the first IT providers to officially support more direct access to more senior staff.

Failing that, and in the interim, if you get hold of someone further up the levels, ask how to get to them more directly. Sometimes the informal approach yields vastly better results than official channels.

J,

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9o_NCdP2h9shn3WEHU5UxrGgBbdsvN1t2wkg%2BmbawGfkg%40mail.gmail.com.

[Simon Wright]

Private discord or slack or whatever for level 2 access?

Do wonder about turning this techies group from a Google group to a discord....thoughts?

Regards,

Simon Wright

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAC8vjdxLyQeF1Zs9u5vM4SUaS4ShNab3VLH27CZf2qKrzo7MNw%40mail.gmail.com.

[Jono Hayes]

Slack? 

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9rrbe8wN6Uo6X9btCnHyGzcnEU5_K%3DYLiKePHXusgthuQ%40mail.gmail.com.

[Simon Wright]

Is that a what is slack or why slack?

What: https://zapier.com/blog/slack-vs-discord/

Why: Figure N4L may use it internally already, so having a channel for level 2 access for school techies and MSPs would be easy to implement. 

Regards,

Simon Wright

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/D3534BC3-01AF-49CE-929F-6FCC0D5A3E16%40me.com.

[Sid Kumar]

Hey everyone,

The N4L lurkers are listening. And honestly, thank you for the feedback.

We hear the frustration. Loud and clear. Spending hours on a ten-minute job is soul-destroying. We get it.

This firewall upgrade is a massive job. A bit like changing the tyres on a moving bus. Not one or two, but over 2500 of them!

We know we don’t get everything right. Sometimes we’ll nail it. Sometimes we’ll trip over our own feet.

This is where you come in.

Your specific, constructive feedback is gold. Ideas like a trusted techs register or better reporting access are exactly the kinds of things we want to hear.

General rants? Not so helpful. They might feel good to write, but they don't help us fix the real issues.

We have service commitments we need to honour, BUT are in agreement that qualified access for skilled admin is important to remove friction. 

Some things we'll be able to do. Some things we won't, for reasons of security or the sanity of our engineers. We also can't yet promise a timeline, but we are working on providing more functionality and access.

As mentioned earlier in the thread, the changes give us a lot more flexibility, which then makes way towards the flexibility you need.

Let's work on this together.

Thanks,

Sid Kumar Head of Product The Network for Learning Ltd

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9o_NCdP2h9shn3WEHU5UxrGgBbdsvN1t2wkg%2BmbawGfkg%40mail.gmail.com.

[d.keen...@gc.ac.nz]

Slack is alright to a point, but unless you're prepared to pay, the messages vanish after about 90 days or so, meaning lost knowledge + threading becomes a challenge.

Discord is a whole different beast altogether, although it retains the messages, they get so thoroughly buried, including threads (if used at all), that it's unwieldy.

Great for conference calls, presentations, file sharing and gaming, though.

At least in a group like this, if you perform a search, you will find the complete thread.  Also, if you read through the list, there are gems to be found.

Personally, I prefer forums, as they are fit for purpose, but unfortunately, bots and LLM scrapers have killed them off for the most part.

Regards,

David Keenleyside, BSc CS & IS, CTech

ITP Associate

EFF Member

ICT Technician

Glenfield College

PO Box 40176 (Kaipatiki Rd)

Glenfield, Auckland City 0629

Ph:       +64 9 444 9066 ext 677

DDI: +64 9 441 9779

Email:    d.keen...@gc.ac.nz

https://itp.nz/CTech/NZ160799

https://www.linkedin.com/in/david-keenleyside-626871/

The Three O’s of Backup: Online, Offline, Off-site.

The Three RA’s of Cloud: Run Anywhere, Run Anytime, Run Agnostic.

“When you're working as part of a team, one of the things to expect is that you should share information freely with your colleagues and that they'll share information freely with you.” - Google

[Julian Davison]

> Why: Figure N4L may use it internally already, so having a channel for level 2 access for school techies and MSPs would be easy to implement. 

fwiw this is the key, something that N4L are already using (if they use such a system - not everyone does) whatever that is. The easier it is for the people-who-are-hard-to-get-hold-of to access the better.

J,

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9oErbYd9W-R-9EqwGN63Lad8VCBmWoZ9k2ARDW%3DHpqrkw%40mail.gmail.com.

[lfr...@jameshargest.school.nz]

I Fully support the idea of Discord/Slack/Teams for communicating between school techies and N4L engineers.  It would actually be a game change IMO. As issues came up each person in the group can see what others are discussing and be aware of wider issues. The current approaches are just broken. We need to modernise and be more flexible. 

[Mark Edwards]

Sid,

We get it, you have a job to do driving this bus (you are actually changing the bus), but really what I'm saying is the lack of communication and competency has always been there and if anything is getting worse, if you want constructive feedback...how about getting more staff that are capable and enough to handle the requests, all the good ones seem to be flowing to the top and into management and become unavailable. I have been waiting 12 working days for a ticket and still haven't even talked to a level 2 tech....it's a frustrating joke.

Quote ""We're taking full ownership and direct control for the first time" - N4L CEO Larrie Moore" 

Kia pai tō rā

 

Mark Edwards

Need IT support? Check out what we offer 

IT Manager Far North Networks Far North New Zealand

M: 021 1252983 W:www.FarNorthNetworks.co.nz

This email, including attachments, may contain information which is confidential or privileged material. If you are not the intended recipient, please notify us immediately and then delete this email from your system. Email communications are not secure and are not guaranteed by The Network for Learning to be free of unauthorised interference, error or virus. Anyone who communicates with us by email is taken to accept this risk. Anything in this email which does not relate to the official business of The Network for Learning is neither given nor endorsed by The Network for Learning.

--

You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/g0mcFch5MoQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/6d3c0e5f-780a-4c6e-aef5-dd54094e6bc1n%40googlegroups.com.

[Pete Mundy]

This, +15 :(

I literally every single day have to chase to get answers to tickets regarding problems I used to be able to solve. It seems that the only realistic way to get things done is to sit on the phone and wait. Email support response timeframes are in the multiple days minimum.

For those with the access, here's an open example in which has had no progress in the 8 days since I phoned it in (40 mins on the phone to do so): 00676307

Incredibly frustrating, but I'm also starting to accept that it's the unavoidable new reality, and it's probably time for those of us with the capability to simply move on. It's a shame though... I really liked working in schools!

Pete

On Fri, 5 Sept 2025 at 08:18, Mark Edwards <ma...@farnorthnetworks.co.nz> wrote:

<snip>

[Rafal Janaszkiewicz]

There really does seem to be an issue with getting responses from level 2 engineers.  We have raised this many times with N4L and also MOE. Including just last week where we had no response for 2 weeks even when our ticket was logged for  critical errors on some of our switches. 

Sid, Can you advise what is being done to address this?

Also there are still lots of questions about the Palo Alto firewall project and how the service will look and work for schools. Does N4L intend to release more information to schools ICT engineers so we can all understand the new service better and know what we are in store for and how the new system works and looks. Maybe a webinar?

N4L is replacing a core piece of equipment in schools yet has provided very little information. Which is why alot of people are reaching out to this group to get more information. If schools need to reach out to this group to understand this project then N4L has failed to communicate the project properly. 

As an example it was a surprise to us that we won't change access including web filtering as this piece of information is not easy to find. (Hidden in FAQ drop downs)   

Another frustration is that the SLAs are hidden in the N4L annual report: https://www.n4l.co.nz/wp-content/uploads/2024/12/N4L-Annual-Report-2024-Final.pdf. Whenever SLAs are mentioned we get told that those are agreed between N4L and MOE. MOE has informed us that those SLAs are what schools should expect from N4L. 

Where I am getting to with this is can N4L please improve the communication regarding N4L services, products, and the support schools can expect. For example N4L has some amazing SLAs for hardware faults for Palo Alto firewalls but you can not find this information anywhere which is a real shame. It would be great if there was a place like MyN4L where we could get all this information and really understand the service, products, and SLAs for support. 

Regards,

Rafal Janaszkiewicz

ICT Manager

Wellington High School

E-mail: Rafal.Jan...@whs.school.nz

DDI: 028 2550 8784

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy7_p7zg_K_dfaurgutz-XVu3JLXi3LpTLU8O7%3DuUJzfGg%40mail.gmail.com.

[Mark Fielding]

Hi Mark and Pete / all,

We apologise that the resolution of support tickets can cause frustration. Not an excuse, but for context, in the recent financial year we logged nearly 50,000 customer support cases raised from 2,500 schools. Our team works hard to try and close out tickets as quickly as possible, which are often escalated cross-business, but we can always do better to ensure no tickets fall through the cracks and become stuck in cycle.

Mark, apologies for the delay. My understanding is the team has been trying to contact you to find out more information about the live ticket you mentioned in the forum so they can resolve your issue. I’ve asked the engineer assigned to try and get in touch with you again. If there are any further delays experienced with making contact, please give us a call and let us know.

Pete, I apologise for the delay in resolving your most recent ticket, however I’m assured this is being expedited today based on your latest response to our team this morning.

Mark Fielding​​

Customer Support Manager

The Network for Learning Ltd

M +64 27 476 0118 P 0800 LEARNING
A Level 5, 8 Tangihua Street, Auckland Central, Auckland 1010
A PO Box 37118, Parnell, Auckland 1151