Howtos

My Journey to IPv6: Part 3 – Outbound Firewall

Three is the magic number In parts 1 and 2 we discussed IPv6 addressing, and connection basics then configured a Fortigate to grab a DHCPv6 PD prefix and distribute it with SLAAC to clients on the inside network. In this episode I will go over the Fortigate firewall and security policy configuration to get your IPv6 traffic out to the Internet. The illusion of control In part 1 I discussed how router advertisements are sent…

Continue reading

Howtos

My Journey to IPv6: Part 2 – Fortigate Address Configuration

How did we get here? In part 1 of this series I covered some basics about how IPv6 addresses are distributed. In summary we use DHCPv6 PD to find out from an ISP what prefix should be placed on our clients. After that a combination of SLAAC and DHCPv6 result in one (or more) IP address and DNS server combo that gives a client IPv6 connectivity. As mentioned in the first article I have Verizon…

Continue reading

Tips

My Journey to IPv6: Part 1 – IPv6 Basics

Background I’ve been an IT infrastructure engineer for more than 20 years. Cut my teeth in the early days of campus L3 switching. I was lucky enough to have one of my first jobs at a public educational institution that owned a PI Class-B. Those were heady days. Like so many others out there, I looked at IPv6 as something I could hopefully avoid until retirement. The inability to reel off an entire IP subnetting…

Continue reading

Howtos Tips

Azure AD Conditional Access Standard

Based on the excellent work in this blog article I implemented a standard for conditional access that we plan to use across clients. It attempts to balance the security lock down with breaking as few things as possible. You need to create and populate the following groups CA-Excluded No Conditional Access rules applied to members CA-Service Accounts Can only authenticate from trusted IP named locations CA-International Users Users who can connect from pre-defined trusted countries…

Continue reading

Howtos

Creating a Secure Boot UEFI compatible Windows USB Key

Background Creating a USB bootable Windows key with Rufus results in a system that can’t startup with Secure Boot which is required for proper BitLocker activation. UEFI/Secure Boot USB sticks must be FAT32 not NTFS formatted. FAT32 volumes have a limit of 32GB. You must partition the device with a volume smaller than 32GB to proceed. FAT32 volumes have a file size limit of 4GB. One of the Windows installer files is over 4GB and…

Continue reading