Simply put, what the title says.

The network is based on a centralized location and a bunch of satellite locations around the world. These satellite locations connect to the centralized location via IPSec VPN so we can service the production systems.

In the past these have been based on Fortigate 101 (D for the older ones, E for the newer ones), as well as Aruba 2930m switches, and for the most part this worked well. The only issue is that this was hard to manage on a large scale.

To make it more manageable we moved over to a setup around Cisco Meraki. MX85 as routers and MS225 as switches. This mane the management a lot easier, but with some significant drawbacks:

  • ONLY cloud managed
  • On our satellite locations the bandwith is often low or completely gone. Meraki don’t like this at all.
  • Our satellite locations are mostly onboard ships, and Meraki s8mply doesn’t handle the harsh operating environment as well as Fortigate+Aruba
  • Meraki doesn’t provide a whole lot of info as to why when it is unable to connect to its cloud platform. It’s pretty adaptive and tries a lot of configurations before it gives up, but in some cases it’d be nice to be able to set it up according to the wan connection available. Some sort of local diagnostics would be nice.

So, any recommendations for hardware that is:

  • Cloud managed
  • Allows local configuration when cloud is unreachable
  • Durable
  • Preferably with load balancing between up to four Wans
  • Your Huckleberry@lemmy.world
    5·
    1 year ago

    Palo Alto would do what you want. PA410 or 420 would probably do for your ships. They’re not at all rated for harsh conditions, but they’re about as robust as you’ll find for basic network gear. If you get a PA for the home office as well, you can use their SDWAN for connecting everything.

    For switching…how many ports do you need on each ship? I’m using Unifi industrial switches in our manufacturing plants. They stand up to the Texas summers in a highly alkaline environment. They’re only ten ports though (8 poe).

    • vettnerk@lemmy.mlOP
      2·
      1 year ago

      In the same rack as the router we usually have two 48P PoE switches in a stack8ng configuration. Depending on the scale of the setup, we often have the same type of switches elsewhere, trunked in via 10gig fber. On rare occasions we have a bunch of extra fibers for which we use Aruba 3810 with only SFP ports.

      We also have 100gig in use, but that’s only for a few closed off networks between the servers, with its dedicated Mellanox switch. While they do connect to the 10gig network via a breakout cable, the 100gig bandwidth is only needed internally in the cluster.

  • slazer2au@lemmy.world
    2·
    1 year ago

    Honestly, why not do fortiswitch with your FortiGates? Using the fortilink feature fortiswitchs can be managed from the FortiGate

    In addition if you get the fortigate cloud license you are then able to use the FortiCare portal to manage the device and can still login locally to make changes. Do not get the fortimanager cloud that is a seperate offering you do not want in this case as local changes will mess with things

  • Snowplow8861@lemmus.orgEnglish
    2·
    1 year ago

    I’m just suggesting, but as a MSP we generally go Fortigates managed with fortimanager. That is, hundreds of Fortigates managed in customer specific administrative domains.

    I use a combination of device manager, policy manager, and vpn manager to automate deployment of the underlay sdwan (ha Internet with priority rules) , then add templated vpn tunnels. So adopting another Fortigate is basically, add it to fortimanager, add the device settings, add the vpn policy, add the firewall policy. You can direct cli to the Fortigates from fortimanager if you need to. This is the only way I can consider getting like hundreds of vpns managed…

    Additionally, for compliance and security your may add as required storage and fortianalyzer licensing which means all traffic logs can be stored to your fortimanager.

    Fortimanager also manages fortinet switches and aps if there’s a Fortigate on that site. Personally though we often use Aruba InstantON or instead ubiquiti switches and APs for small clients.

    I can recommend this since it makes sense administratively, but it’s not cheap, it’s overall cheaper than Meraki but you must keep licenses on many parts at once. I like the security features and by centralising the policies and policy objects to fortimanager, you only generally update an object, say a new application or new port once, and install it everywhere. Dynamic objects allow it to use the same rule but translated to the individual devices.

    Fortimanager isn’t easy though. It’s very powerful and doesn’t hold much back. So you can feel overwhelmed. If your firewall networking is strong you should be fine.

  • Johannes Jacobs@lemmy.jhjacobs.nl
    11·
    1 year ago

    Look at Ubiquiti’s unifi lineup. We implement them on several locations, and im very happy with it.if you use the UDM router you have a local controller which can be cloud managed.