Blog
Technical articles, deep dives, and commentary on networking and technology.
-
Ansible Deep Dive Part 1: What Ansible Is, and Why Agentless Still Wins
Kicking off a thirteen-part Ansible series. Part 1 covers what Ansible actually is, the push-based agentless model and why it still matters against Chef/Puppet/Salt, the control node/managed node mental model, installing Ansible, and your first ad-hoc command against a real inventory.
-
Ansible Deep Dive Part 10 Lab: Automating a Cisco and FortiGate Fleet With Ansible
Part 10, the second lab: network-specific Ansible modules against a mixed Cisco IOS and FortiGate fleet — cisco.ios facts and config, fortinet.fortios firewall policy objects, connection: network_cli vs httpapi, and a config-drift check playbook.
-
Ansible Deep Dive Part 11: Error Handling in Anger — Blocks, Rescue, and Partial Failures
Part 11: block/rescue/always for structured error handling, ignore_errors vs failed_when vs ignore_unreachable, max_fail_percentage and any_errors_fatal, and retries/until for polling a service until it's actually ready.
-
Ansible Deep Dive Part 12: Best Practices — the Style Guide I Actually Follow
Part 12: the Ansible conventions worth treating as non-negotiable — naming, idempotency discipline, directory layout, secrets, tagging restraint, testing gates, and the failure modes that show up once a project outlives its author's memory of writing it.
-
Ansible Deep Dive Part 13: Does Ansible Still Matter in an MCP/AI World?
Part 13, the closing piece: if an AI agent can SSH in and fix things itself, do playbooks, idempotency, and config management still matter? A case for yes — argued through the same MCP server that writes this very site.
-
Ansible Deep Dive Part 2: Inventory — Static, Dynamic, and Everything In Between
Part 2 of the Ansible series: INI vs YAML inventory, groups and nested groups, host_vars/group_vars, patterns and limits, and moving to dynamic inventory plugins (AWS, and a network-specific example) once static files stop scaling.
-
Ansible Deep Dive Part 3: Playbooks, Tasks, and the Idempotency Contract
Part 3: plays and tasks, modules vs shell/command, the idempotency contract that makes Ansible safe to re-run, handlers and notify, check mode and diff mode, and tags for selectively running part of a playbook.
-
Ansible Deep Dive Part 4: Variables, Facts, and Jinja2 Templating
Part 4: where variables come from, gathering and using facts, the Jinja2 syntax underneath when/template/filters, common filters worth knowing, and building real config templates for both servers and network devices.
-
Ansible Deep Dive Part 5: Roles and Ansible Galaxy — Structuring Projects That Scale
Part 5: the standard role directory layout, defaults vs vars, role dependencies, ansible-galaxy for installing community roles and collections, and requirements.yml for pinning what a project depends on.
-
Ansible Deep Dive Part 6: Variable Precedence and Ansible Vault — Secrets Done Right
Part 6: the full variable precedence ladder from role defaults to extra-vars, then Ansible Vault end to end — encrypting whole files and single strings, vault IDs for multiple secret tiers, and keeping vault passwords out of the repo entirely.
-
Ansible Deep Dive Part 7: ansible.cfg, Performance, and Scaling to Hundreds of Hosts
Part 7: the ansible.cfg precedence and the settings that actually matter, forks and the linear/free strategies, SSH pipelining and ControlPersist, fact caching, and Mitogen as the option to know about even if you don't reach for it.
-
Ansible Deep Dive Part 8: Testing Ansible — Molecule, ansible-lint, and CI Pipelines
Part 8: ansible-lint and its rule categories, Molecule for spinning up disposable Docker/VM targets and asserting real state with Testinfra, idempotency testing (running a role twice and asserting nothing changed the second time), and wiring it all into GitHub Actions.
-
Ansible Deep Dive Part 9 Lab: Zero to Production — a Three-Tier Web App From Bare Metal
Part 9, the first lab: a role-based playbook standing up a load balancer, two app servers, and PostgreSQL from bare Ubuntu boxes — vault-protected credentials, templated HAProxy/env config, notify chains, and a rolling deploy with serial.
-
ENSDWI Part 5: Certificates, Device Lists, and Control-Plane Troubleshooting
Blueprint 2.3 and 2.4: the certificate trust model end to end — root CA options, controller CSRs, the WAN Edge authorized serial list — then the systematic control-connection troubleshooting flow behind most ENSDWI exhibit questions.
-
ENSDWI Part 4: Controller Deployment — Cloud, On-Prem, Scale, and Redundancy
Blueprint 2.1 and 2.2: Cisco-hosted vs on-premises controllers, hosting platform requirements, installing the vManage/vBond/vSmart trio, and the scalability and redundancy rules — clustering, affinity, and how many of each you actually need.
-
ENSDWI Part 3: Edge Platforms and Cloud OnRamp
Finishing blueprint domain 1.0: the cEdge and vEdge platform families and how to pick between them, then all four Cloud OnRamp variants — SaaS, IaaS, Colocation, and Multicloud/Interconnect — at the depth the exam actually tests.
-
ENSDWI Part 2: Architecture — Planes, Components, and Multi-Region Fabric
Blueprint domain 1.1: the four planes and their components, OMP's three route types, TLOCs, IPsec vs GRE encapsulation, BFD's dual role, and Multi-Region Fabric — the v1.2 addition that older study material misses entirely.
-
ENSDWI Part 1: Exam Syllabus & Study Roadmap
Kicking off a twelve-part study series for the Cisco 300-415 ENSDWI exam. Part 1 breaks down the v1.2 blueprint domain by domain, maps every topic to a part of this series, and covers exam logistics, lab options, and how to study for a 90-minute concentration exam.
-
Cisco Catalyst SD-WAN Deep Dive Part 1: Components, Controllers, and the Four Planes
Starting a ten-part deep dive into Cisco Catalyst SD-WAN. Part 1 covers the Viptela lineage, the four controller planes (vManage, vSmart, vBond, WAN Edge), the certificate trust model, and the control-connection bring-up sequence.
-
Cisco Catalyst SD-WAN Deep Dive Part 10: Failure Modes, Scale Limits, and a Vendor Comparison
Part 10, the finale: what actually breaks (vBond, vSmart, vManage) and what doesn't when it does, vManage's documented scale ceiling, and a head-to-head of OMP/TLOC against Fortinet ADVPN, Arista DMPO, and VeloCloud.
-
Cisco Catalyst SD-WAN Deep Dive Part 2: OMP, the Overlay Management Protocol
Part 2 of the Cisco Catalyst SD-WAN series: what OMP actually carries between WAN Edge and vSmart — OMP routes, TLOC routes, and service routes — how best-path selection and multipath differ from BGP, and why the overlay/underlay split is the whole point.
-
Cisco Catalyst SD-WAN Deep Dive Part 3: TLOCs, Color, and Centralized Policy
Part 3 of the Cisco Catalyst SD-WAN series: what TLOC color actually constrains, how restrict/no-restrict shapes which tunnels can form, and how centralized control policy on vSmart turns that into enforced topology — full mesh, hub-and-spoke, or anything between.
-
Cisco Catalyst SD-WAN Deep Dive Part 4: BFD, App-Route SLAs, and cEdge Forwarding
Part 4: how BFD over every data tunnel drives both fast failure detection and continuous SLA measurement, how app-route policy steers on that data, and where cEdge's IOS-XE forwarding pipeline diverges from legacy vEdge.
-
Cisco Catalyst SD-WAN Deep Dive Part 5: Topology Walkthroughs — Dual Transport, DIA, and TLOC Extension
Part 5: VPN segmentation (transport vs. service VPNs), a worked dual-MPLS-plus-Internet branch design, direct internet access for local breakout, and TLOC extension for sites with no WAN circuit of their own.
-
Cisco Catalyst SD-WAN Deep Dive Part 6: Cloud OnRamp for SaaS and IaaS
Part 6: how Cloud OnRamp for SaaS continuously measures per-app, per-transport path quality to pick the best local breakout, and how Cloud OnRamp for IaaS extends the fabric directly into AWS and Azure as cloud-resident sites.
-
Cisco Catalyst SD-WAN Deep Dive Part 7: SIG, Secure Firewall, and Edge Security
Part 7: how DIA traffic gets inspected without a hub backhaul — Cisco Secure Internet Gateway integration, the on-box UTD container on cEdge, and how this converges with the broader SASE shift other vendors are making too.
-
Cisco Catalyst SD-WAN Deep Dive Part 8: Automation — vManage API, Terraform, and Ansible
Part 8: why vManage's API-first design means automating Catalyst SD-WAN looks nothing like CLI-scraping individual boxes, and where Terraform's declarative model and Ansible's procedural model each fit.
-
Cisco Catalyst SD-WAN Deep Dive Part 9: The MPLS-to-SD-WAN Cutover Playbook
Part 9: a phased, coexistence-based migration sequence from legacy MPLS to Catalyst SD-WAN — pilot sites first, hubs last, explicit rollback triggers, and why ripping MPLS out in one weekend is the wrong instinct.
-
AI Part 8: Kali 2026.2's Nine New Tools, and the MCP Server With 150 More Behind It
Kali 2026.2 shipped nine new tools, one an AI CLI by default. I installed and ran every one I could in a rootless sandbox, then looked behind the curtain at a 17,000-line MCP server wrapping 150+ tools, and Kali's own local-LLM stack. No fabricated output.
-
AI Part 9: From Draft-Only to Whole-Site — the v2.4 Tool Surface and the Rails Behind It
Parts 7 and 8 went out to other people's tool servers. This one comes home. v2.4 turns my blog's MCP server from a draft-publishing surface into one that can read, grep, write, and illustrate the whole site — and the interesting part was never the tools. It was the guardrails.
-
SD-WAN Control Plane Showdown: Three Philosophies for Solving the Same Problem
Fortinet collapses control onto the data-plane device. Arista/VeloCloud collocates it on a multi-tenant Gateway. Cisco/Viptela decouples it fully into vSmart and OMP. Three architectures covered on this site, lined up side by side, right before the Cisco series picks up the third one.
-
A Brief History of SD-WAN Controllers: Viptela, VeloCloud, CloudGenix, and Why Cisco Runs Two SD-WAN Stacks
Three startups solved SD-WAN's control-plane problem within a year of each other. Two got bought by exactly the company you'd expect; one brand didn't survive. The acquisition history of Viptela, VeloCloud, and CloudGenix — and why Cisco still runs two unrelated SD-WAN stacks today.
-
The Three Planes: Management, Control, and Data — and Why Every SD-WAN Argument Comes Back to Them
A vendor-neutral primer on the management, control, and data planes — what each actually does, why management-vs-control is the distinction everyone blurs, and a three-question test you can run against any SD-WAN platform regardless of vendor.
-
Cilium: Kubernetes Networking and Security Built on eBPF
Cilium replaces iptables-based kube-proxy and overlay CNIs with eBPF programs on the kernel datapath. Connects back to namespaces, veth pairs, nftables, and eBPF/XDP, then covers identity-based network policy and Hubble observability.
-
AI Part 7: When an LLM Gets Nmap and Metasploit as Tools
I wired an LLM into nmap and Metasploit against a deliberately vulnerable lab. The exploit worked — a real, server-verified root shell — but the sharper finding was the models themselves: a 7B fabricated its tool output wholesale, an 8B mangled its arguments, and only a 32B drove the tools honestly. No fabricated transcripts — the model's included.
-
Nmap and the Scripting Engine: A Network Engineer's Field Guide to NSE
Nmap's scan engine and NSE scripting framework are as useful for firewall change validation and inventory work as for security assessments. Covers scan types, timing, NSE categories, writing a custom script, and practical recipes for network engineers.
-
strncpy Is Finally Gone: What Linux 7.2-rc1 Means for Kernel Security
Linus opened the 7.2 merge window and tagged 7.2-rc1 — and with it, strncpy() is finally gone from the kernel tree. Six years, 362 commits, 70 contributors. Here's what the function actually did wrong, why it took so long to kill, and why removal beats deprecation.
-
Linux Network Namespaces: Isolated Network Stacks Without a Hypervisor
Network namespaces give a process its own interfaces, routing table, iptables rules, and sockets — completely isolated from the host. They underpin Docker, Kubernetes, and VPNs. This post covers how they work and how to use them hands-on.
-
nftables: The Modern Netfilter Framework Every Network Engineer Should Know
nftables replaced iptables as the default Linux firewall framework years ago, but most existing guides and scripts still assume iptables syntax. This post covers the nftables model properly — tables, chains, sets, maps — and how to think about it coming from an iptables or FortiGate policy background.
-
eBPF and bpftrace: Network Observability Without Touching the Packet Path
eBPF lets you attach tiny programs to kernel hooks — TCP state changes, socket events, XDP ingress — with zero packet-path overhead and no kernel modules. bpftrace makes it scriptable. This post covers both for network engineers.
-
Bash Patterns Every Network Engineer Should Know
Most network engineers write bash defensively, copying patterns from old scripts without understanding why they work. This post covers the patterns that actually matter — strict mode, parallel SSH fan-out, retry logic, and structured output — with an emphasis on what breaks when you skip them.
-
Deeper Than tcpdump: NIC Diagnostics with ethtool and Protocol Analysis with tshark
ethtool exposes the NIC hardware state that sits below anything tcpdump can see — link negotiation, ring buffers, offload settings, error counters. tshark adds full protocol decode on top of tcpdump's capture model. Together they cover the diagnostic gap between 'the cable is fine' and 'I can read every field in this packet.'
-
Linux VRFs: Route Isolation Without the Namespace Overhead
Linux VRFs give you FortiGate-VDOM-style routing table separation on a single network stack, without the full isolation (and overhead) of network namespaces. This post covers the l3mdev model, VRF creation, route leaking, and when VRFs are the right tool versus namespaces.
-
jq for Network Engineers: Parsing APIs, Routing Tables, and Structured Logs
jq is the missing piece between modern JSON-emitting tools — ip -j, ss -j, REST APIs — and the shell. This post covers the filter language properly: selection, mapping, construction, and the patterns that come up constantly when automating network infrastructure.
-
Replacing netstat with ss: A Network Engineer's Diagnostic Guide
ss is the modern replacement for netstat — faster, richer, and capable of exposing per-socket TCP internals that netstat never could. This post covers the filter syntax, TCP state analysis, and the diagnostics that matter when troubleshooting live connections.
-
Beyond ifconfig: The ip Command Reference Every Network Engineer Needs
The ip command from iproute2 replaced ifconfig and route over a decade ago, but most guides still treat it as a drop-in substitute. This post covers the full model — interfaces, addresses, routes, policy routing, ARP, and live monitoring — with practical examples aimed at network engineers.
-
Traffic Control Under the Hood: A Linux tc Deep Dive for Network Engineers
tc is the Linux traffic control subsystem behind netem, HTB shaping, and DSCP-aware queuing. This post explains the model properly — qdiscs, classes, filters — then builds a practical lab rig for testing SD-WAN Performance SLA thresholds and QoS behaviour.
-
Python for Network Engineers — Part 1: Why Python in 2026, Environment Setup, and Your AI Pair Programmer
The first post in a 12-part series covering Python for network engineers from first principles to production automation. We cover why Python is still the right choice in 2026, how to set up a modern development environment, and how to use AI tools as a genuine pair programmer throughout your learning journey.
-
Python for Network Engineers — Part 10: NAPALM — Vendor-Agnostic Network Automation
Part 10 of the Python for Network Engineers series. NAPALM provides a vendor-agnostic Python interface to network devices — the same code collects state or replaces configuration on Arista, Cisco, Juniper, or Fortinet without modification. We cover getters, config replace, dry-run validation, and the config diff workflow.
-
Python for Network Engineers — Part 11: Nornir — Parallel Automation at Scale
Part 11 of the Python for Network Engineers series. Nornir is a pure-Python automation framework that runs tasks across an inventory in parallel. We cover YAML inventory, task functions, result handling, host/group filtering, and the Netmiko and NAPALM plugins — bringing together everything from the series into one coherent framework.
-
Python for Network Engineers — Part 12: AI-Assisted Network Automation
The final post in the Python for Network Engineers series. We look at how to put AI tools to work inside the automation workflows we've built — config review, fleet-wide AI-assisted parsing, a minimal MCP server that lets an AI agent call your automation scripts, and the discipline that keeps AI-assisted automation safe.
-
Python for Network Engineers — Part 2: Strings, Numbers, Files, Lists, and Tuples
Part 2 of the Python for Network Engineers series. We cover Python's core data types — strings, numbers, booleans, files, lists, and tuples — with every example drawn from real network engineering scenarios.
-
Python for Network Engineers — Part 3: Dictionaries, Sets, Comprehensions, and Exceptions
Part 3 of the Python for Network Engineers series. Dictionaries model device state. Sets expose VLAN drift between switches in one line. Comprehensions replace verbose loops. Exception handling keeps automation running when devices misbehave.
-
Python for Network Engineers — Part 4: Functions, Regular Expressions, and Modules
Part 4 of the Python for Network Engineers series. Functions make your automation reusable and testable. Regular expressions parse the CLI output that structured tools can't reach. Modules turn a script into a project.
-
Python for Network Engineers — Part 5: Netmiko — SSH Automation Across Vendors
Part 5 of the Python for Network Engineers series. We connect to real network devices over SSH using Netmiko, run show commands, push configuration, and build a multi-device inventory collector — with a Containerlab lab you can run at home.
-
Python for Network Engineers — Part 6: Parsing CLI Output — From Regex to AI
Part 6 of the Python for Network Engineers series. Raw CLI output is a string — not data. We cover TextFSM templates, the NTC-templates library, Genie parsers, and AI-assisted parsing for commands where no community template exists.
-
Python for Network Engineers — Part 7: YAML, JSON, and Validating Your Inventory with Pydantic
Part 7 of the Python for Network Engineers series. YAML for human-maintained inventory and config files. JSON for API responses and storing collected data. Pydantic to validate that what you read actually matches what you expect before it reaches your automation logic.
-
Python for Network Engineers — Part 8: Jinja2 — Generating Configs at Scale
Part 8 of the Python for Network Engineers series. Jinja2 turns structured data into device configuration. Variables, loops, conditionals, filters, macros, and template inheritance — with Arista, Cisco, and Fortinet examples throughout.
-
Python for Network Engineers — Part 9: REST APIs — The Modern Control Plane
Part 9 of the Python for Network Engineers series. Every modern network platform exposes a REST API. We cover the requests library, authentication patterns, pagination, error handling, and two real-world examples: Arista eAPI against our existing lab, and the FortiManager JSON-RPC API.
-
Chronos Keeps Time: Building an Enterprise-Grade NTP Service with chrony and Integrating it with FortiGate
Why we chose chrony over ntpd and timesyncd, what CIS and Fortinet hardening guides say about NTP, a full build walkthrough, the deny-all ordering mistake every network engineer will make, and how to generate NTP keys that FortiOS will actually accept.
-
One Box, Many Firewalls: A Practical Guide to FortiGate VDOMs
Virtual domains let a single FortiGate behave as several independent firewalls — separate routing tables, policies, and administrative boundaries on shared hardware. When that's the right tool, when a VRF is the better one, and how inter-VDOM routing actually moves a packet between them.
-
Watching the Fabric: FortiAnalyzer and FortiMonitor for SD-WAN SLA Observability
The operational bookend to the SD-WAN design series — how FortiAnalyzer and FortiMonitor turn the performance-SLA assumptions baked into your hub placement and resilience design into something you can actually alert on, trend, and defend with data months later.
-
The Cutover Playbook: Migrating from MPLS to SD-WAN Without a Bad Weekend
A phased, dual-running migration plan for moving a branch off MPLS and onto SD-WAN — route-map-based preference during transition, what to validate before each cutover step, and the rollback triggers that keep a bad change from becoming an outage.
-
IPsec Deep Dive Part 1: ESP, AH, and How IKE Phase 1 Actually Brings a Tunnel Up
IPsec underpins every Fortinet SD-WAN overlay this blog has built, and it's never had its own deep dive. Part 1 fixes that: the SA model, ESP vs AH, tunnel vs transport, and a message-by-message walk through IKEv1 main mode, aggressive mode, and IKEv2.
-
IPsec Deep Dive Part 2: Phase 2, Child SAs, and the Anatomy of an ESP Packet
Phase 1 built a control channel and protected nothing. Part 2 covers the negotiation that actually moves data: quick mode and child SAs, traffic selectors, PFS, rekeying, and anti-replay — then dissects an ESP packet field by field, down to the MTU math.
-
IPsec Deep Dive Part 3: NAT vs IPsec — NAT-T, Port Forwarding, and the Fortinet SD-WAN Reality
NAT breaks IPsec three distinct ways — AH's ICV, ESP's missing ports, and IKE's rewritten source port. Part 3 covers each break, how NAT-D detects it and NAT-T's UDP 4500 encapsulation repairs it, when port forwarding is still required, and what it all means for SD-WAN spokes behind CPE NAT.
-
Policed, Not Just Routed: Traffic Shaping and QoS Internals on Fortinet SD-WAN
Application-aware routing decides which path a flow takes. Shaping decides what happens to it once it's there — shaping profiles, per-IP and per-policy shapers, queue assignment, and how it all interacts with NP7 hardware offload.
-
NSE6 Part 1: Stream Overview, Exam Structure, and the Secure Networking Stack
What the NSE6 Secure Networking specialist stream covers, how the four product exam tracks fit together, and how FortiAuthenticator, FortiSwitch, FortiAP, and FortiNAC form a joined-up access-layer security story.
-
NSE6 Part 10: FortiAP Rogue Detection, Wireless IDS, Mesh, and Troubleshooting
WIDS rogue AP classification and containment, wireless IDS signature types, FortiAP mesh topology with root and leaf APs, OfficeExtender remote AP split-tunnel deployment, and the diagnostic commands and common failure patterns for the FCA-FAP exam troubleshooting section.
-
NSE6 Part 11: FortiNAC Architecture, Network Discovery, and Device Profiling
NAC concepts and where FortiNAC sits in the Security Fabric, Control and Application server roles, HA architecture, how FortiNAC discovers network devices via SNMP and SSH, passive and active endpoint discovery, and the fingerprinting methods that determine what type of device is on each port.
-
NSE6 Part 12: FortiNAC Access Policies, CoA, and VLAN Enforcement
The FortiNAC policy model — groups, access values, and network access policies — how RADIUS and CoA enforce VLAN assignment on FortiSwitch and third-party switches, logical networks for VLAN abstraction, and the end-to-end 802.1X enforcement flow from endpoint connect to VLAN assignment.
-
NSE6 Part 13: FortiNAC Endpoint Compliance, Agents, and Host Isolation
Persistent, dissolvable, and agentless posture assessment methods, compliance rules and remediation actions, quarantine VLAN and isolation workflow, guest self-registration and sponsor approval, BYOD certificate onboarding, and MDM integration with Intune, Jamf, and FortiClient EMS.
-
NSE6 Part 14: FortiNAC HA, Reporting, and End-to-End Troubleshooting
FortiNAC HA failover mechanics, MySQL replication, syslog/FAZ integration, alarm framework, built-in and custom reports, and a systematic troubleshooting guide for discovery failures, enforcement problems, and 802.1X issues — with a complete end-to-end trace of a new endpoint joining.
-
NSE6 Part 2: FortiAuthenticator Architecture and Local Authentication
FortiAuthenticator deployment modes, hardware vs VM sizing, initial setup, local user and group management, password policies, account lockout, and the admin interfaces you use to build out a working identity store before you plug in LDAP or RADIUS.
-
NSE6 Part 3: FortiAuthenticator RADIUS Service, LDAP Integration, and Remote Auth
How FortiAuthenticator acts as a RADIUS server for FortiGate, FortiSwitch, and other NAS devices; configuring realms and routing; integrating with Active Directory via LDAP; and the diagnostic commands that expose exactly where an authentication flow breaks.
-
NSE6 Part 4: FortiToken 2FA, Certificate Management, and the Self-Service Portal
Adding a second factor with FortiToken hardware and mobile tokens, certificate authority configuration and SCEP enrollment, and setting up the self-service portal for password reset, token activation, and guest account management with sponsor approval.
-
NSE6 Part 5: FortiSwitch Hardware, FortiLink Managed Mode, and Initial Provisioning
FortiSwitch hardware families and PoE considerations, how FortiLink turns a FortiGate into a wired switching controller, the discovery and authorisation process for bringing a switch under management, and firmware management from the FortiGate GUI.
-
NSE6 Part 6: FortiSwitch VLANs, RSTP, Link Aggregation, and Stacking Design
VLAN trunking and access port configuration under FortiLink, RSTP bridge priority and port roles, static and LACP link aggregation, MCLAG dual-homing for access-layer resilience, and QoS trust modes for DSCP/CoS remarking at the network edge.
-
NSE6 Part 7: FortiSwitch 802.1X, MAC Authentication Bypass, and Port Security
Port-level 802.1X authentication with FortiAuthenticator as the RADIUS backend, EAP method selection, dynamic VLAN assignment from RADIUS attributes, MAC Authentication Bypass for non-supplicant devices, sticky MAC port security, and CoA-triggered VLAN changes mid-session.
-
NSE6 Part 8: FortiAP Hardware, CAPWAP Discovery, and AP Provisioning
Wi-Fi 6 fundamentals and the key 802.11 standards, FortiAP hardware families and PoE requirements, how CAPWAP connects APs to the FortiGate wireless controller, the four AP discovery methods, WTP profile configuration, and the authorisation and firmware management workflow.
-
NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management
SSID and VAP configuration options, every wireless security mode from Open to WPA3-Enterprise, dynamic VLAN assignment via RADIUS for wireless, captive portal integration with FortiAuthenticator, band steering, and the RF management tools that keep channels clean in dense deployments.
-
Zero Trust Meets the Overlay: Converging ZTNA and SD-WAN on Fortinet
The capstone to the SD-WAN series: how Fortinet's ZTNA tags and access proxy let you fold per-application, identity-aware access control directly into the SD-WAN fabric — built on the RADIUS/TACACS AAA backend and the PKI you already stood up for IPsec.
-
Pairing a FortiGate and FortiSwitch the Right Way, Part 1: Get the Firmware Right First
Before a FortiGate and FortiSwitch will even talk to each other over FortiLink, both need to be on compatible, fully-patched firmware — and NTP/DNS need to be solid. Part 1 covers the upgrade plan we should have run before touching FortiLink at all.
-
Pairing a FortiGate and FortiSwitch the Right Way, Part 2: FortiLink, and Where We Actually Went Wrong
The FortiLink handshake looks trivial in the docs: cable it in, authorize, done. Ours didn't go that way. Part 2 walks the correct pairing process, then dissects exactly where — and why — our first attempt stalled, with the redo plan for when we factory-reset both boxes.
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 1 — The Architecture Decision
FortiManager-as-CA vs. a dedicated external CA for certificate-based IPsec on Fortinet SD-WAN: the honest trade-offs, SCEP vs EST, CRL vs OCSP, certificate lifetime philosophy, and why "who is your CA" is the real question hiding inside "switch to certificates."
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 2 — Standing Up the PKI
Standing up a real PKI for Fortinet SD-WAN IPsec: offline root, online issuing CA, a certificate role scoped to IPsec end entities, an EST front-end, CRL/OCSP placed where the chicken-and-egg overlay problem can't reach it, and FortiManager's much smaller supporting role.
-
Beyond PSK: PKI for Fortinet SD-WAN IPsec, Part 3 — Enrollment, Automation, and the Cutover
Closing the series: solving EST's bootstrap-credential problem on purpose, monitoring certificate renewal at scale before it becomes an outage, and executing the PSK-to-certificate cutover — explicitly diffed against the FMG-as-CA migration path.
-
Cloud On-Ramp Part 1: The Architecture Decision and AWS Transit Gateway
Hub Placement Part 3 said the hub goes where the VPC is. This post answers the question that raises immediately: how does it actually get there? BGP-over-IPsec to AWS Transit Gateway, ASN selection, and mapping on-prem VRFs onto TGW route tables.
-
Cloud On-Ramp Part 2: Azure Virtual WAN and a Dual-Cloud Resilience Design
Azure Virtual WAN looks like AWS Transit Gateway from a distance — a managed hub that attachments plug into. Up close, the BGP mechanics, the route-propagation model, and the failure modes all differ in ways that decide whether a dual-cloud on-ramp actually survives a bad day.
-
Local Internet Breakout in Practice: SD-WAN Zones, Rules, and a Multi-VRF Guest Wi-Fi Walkthrough
How SD-WAN zones, members, and performance-SLA rules actually decide where a session breaks out — and a full walkthrough of giving Guest Wi-Fi its own VRF, its own zone, and a local internet path that never touches the corporate tunnel.
-
Fortinet SD-WAN Hub Placement Part 1: The Traditional Model — Hubs in the DC
Why hubs traditionally sit in the DC, the job they actually do there, how they protect FMG/FAZ, and how BGP on loopback ties it together. Part 1 of a series that goes on to challenge the assumption that the hub belongs in the DC at all.
-
Fortinet SD-WAN Hub Placement Part 2: The MSSP Shift — When the Hub Becomes Customer-Centric
What changes when one FMG/FAZ pair manages many customers through ADOMs: the hub stops being "the DC's hub" and becomes a per-customer design decision, with its own routing domain, AS plan, and placement logic.
-
Fortinet SD-WAN Hub Placement Part 3: Cloud, SASE, and the Death of "The DC" as the Default
Closing out the hub-placement series: what changes about hub design when the destination is Azure, AWS, or GCP rather than a DC, and what changes again for customers migrating from a DC-centric WAN to a SASE-centric one.
-
From DSCP to Deep Packet Inspection: Why SD-WAN Application-Aware Routing Killed Traditional QoS
A deep technical comparison of legacy QoS (DSCP/CoS, static priority queues, box-by-box CLI) against SD-WAN Application-Aware Routing — plus a vendor-by-vendor breakdown of how Cisco Catalyst SD-WAN, Fortinet, Juniper Mist (128T), and VeloCloud actually identify and steer application traffic.
-
The Packet Never Lies: Advanced tcpdump Recipes for the Enterprise Engineer
Bitwise BPF masking, enterprise recipes for asymmetric routing and retransmission hunting, a safe SSH-to-Wireshark live-streaming setup that won't loop your own session, and a cross-vendor capture map spanning Debian, Cisco IOS, FortiOS, Junos, and VeloCloud.
-
Why Deep Packet Inspection (DPI) Breaks Guest Wi-Fi (And How to Fix It on Fortinet FortiGate)
Full SSL Inspection looks like the obvious way to secure a guest or BYOD network on FortiGate — until certificate warnings, crashed apps, and "No Internet" errors flood the helpdesk. Here's why DPI breaks guest Wi-Fi, and the certificate-inspection-plus-ISDB architecture that actually works.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 1: System Health & Routing
Part 1 of a 3-part deep-dive CLI reference for the NSE 4 exam. Covers get system status, get system performance status, interface and NIC diagnostics, the routing table RIB vs FIB, ARP, and ping-options — with live output breakdowns and exam-pressure indicators for every command.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 2: Session Table & Packet Flow
Part 2 of 3 in the NSE 4 CLI reference series. Deep-dives into FortiOS session table internals — filtering, reading, and clearing sessions — then covers the packet sniffer verbosity levels 1–6 and the full debug flow chain with line-by-line breakdown of successful vs. dropped traces.
-
The Ultimate FortiOS CLI Reference for the NSE 4 Exam – Part 3: VPN & HA
Part 3 of 3 in the NSE 4 CLI reference series. Covers IPsec VPN diagnostics (IKE gateway state, tunnel SAs, SPI counter discrepancies), SSL-VPN authentication traces, and HA cluster mechanics — election criteria, heartbeat state, and configuration synchronisation verification via checksum hashes.
-
How I Use Claude to Help Run This Blog (and Why You Should Try It)
I built a custom MCP server so Claude can write and deploy posts directly to this site. Here's how it works, and an honest look at where AI fits into my workflow.
-
VeloCloud SD-WAN and Partner Gateways Part 1: MPLS-Only Site Architecture
A deep dive into how VeloCloud SD-WAN connects MPLS-only branch sites via Partner Gateways — covering the NNI, underlay BGP peering, and why MPLS-only edges present a unique onboarding challenge.
-
VeloCloud SD-WAN and Partner Gateways Part 2: Onboarding an MPLS-Only Edge
A step-by-step walkthrough of how an MPLS-only VeloCloud Edge activates using a temporary internet path injected into the MPLS VRF, what changes once the VCMP tunnels are up, and how the production routing state differs from the onboarding state.
-
VeloCloud SD-WAN and Partner Gateways Part 3: Taming the Default Route at the NNI
Why a 0/0 leaking from the MPLS underlay into a VeloCloud Partner Gateway is dangerous, how to filter it at the NNI, and the VeloCloud best practice approach to default route handling — with BGP policy examples.
-
BGP Route Dampening Part 1: The Flapping Problem, Exponential Decay, and Cisco Configuration
A deep dive into how BGP route dampening works: the 1990s internet instability that created it, the exponential decay algorithm behind it, every Cisco parameter explained, and a full configuration and verification reference.
-
BGP Route Dampening Part 2: RFC 7454, BFD, and Where Dampening Still Belongs
Why the IETF now discourages global BGP route dampening, how Bidirectional Forwarding Detection interacts with it, what RFC 7454 actually says, and the specific modern scenarios where dampening remains the right answer.
-
RYA SRC Part 1 — GMDSS, Sea Areas, and Why the SRC Exists
An exam-grade walk through the Global Maritime Distress and Safety System — the four Sea Areas, the players that regulate it, and why a UK boater needs an SRC to legally key the PTT.
-
RYA SRC Part 10 — How to Pass the SRC Exam: Structure, Timing, and Day-of
A practical guide to actually passing the SRC — eligibility documents, the £76 fee, what's in the written paper and the practical assessment, a two-week study plan, the common gotchas the examiner watches for, and what to do on the day.
-
RYA SRC Part 11 — Practice Exam: 50 Questions (Paper A and Paper B)
Two 25-question practice papers covering the full RYA SRC syllabus — multi-choice and short-answer, with full worked explanations in the answer key. Sit each paper timed (45 minutes), mark honestly, revise the misses.
-
RYA SRC Part 2 — VHF Channels, Frequencies, and Propagation
The VHF marine band channel-by-channel — what CH16, CH70, CH13, CH67, CH80 and the M channels are for, why CH70 is sacred, how to estimate range from antenna heights, and the simplex/duplex distinctions that come up in the exam.
-
RYA SRC Part 3 — The VHF Set: Controls, Antennas, and Power
Front-panel by front-panel — squelch, hi/lo power, dual-watch, the DSC distress button under the flap, why antenna height matters more than antenna gain on a sailboat, and the battery routines that keep a handheld working when you actually need it.
-
RYA SRC Part 4 — DSC and MMSI: How the Radio Calls Other Radios
Digital Selective Calling unpacked — the four call priorities, the four call types, the nine-digit MMSI structure and what each prefix means, the nature-of-distress menu options, and what happens if a small craft tries to acknowledge a distress alert in Sea Area A1 (don't).
-
RYA SRC Part 5 — Distress: DSC Alerts, MAYDAY, and MAYDAY RELAY
The full distress procedure end to end — pressing the DSC button, the voice MAYDAY format you'll be examined on, who controls distress traffic, what SEELONCE MAYDAY and SEELONCE FEENEE mean, and when to send a MAYDAY RELAY for someone else.
-
RYA SRC Part 6 — Urgency, Safety, and Routine Voice Procedure
PAN-PAN, SECURITE, and the routine voice procedure — when to use which, the radio-medical call, the IMO Standard Marine Communication Phrases, the NATO phonetic alphabet, prowords, and what to do with an unanswered or garbled call.
-
RYA SRC Part 7 — EPIRBs, SARTs, and NAVTEX
The rest of GMDSS that the SRC syllabus covers — 406 MHz Cospas-Sarsat EPIRBs and how to register them, the difference between AIS-SART and Radar-SART, PLBs and MOB beacons, and the NAVTEX message format including which letter codes you can never reject.
-
RYA SRC Part 8 — Protecting Distress Frequencies: False Alerts, Testing, and Guard Bands
The rules that keep the distress system credible — what's protected on CH16 and CH70, why CH15, 17, 75 and 76 are low-power guard bands, how to test a DSC set without launching a lifeboat, and the exact procedure for cancelling a false distress alert.
-
RYA SRC Part 9 — Regulations: Licences, Watchkeeping, and Who Makes the Rules
The regulatory layer of the SRC syllabus — ITU, CEPT, Ofcom, MCA and what each does; the operator licences (SRC, ROC, LRC, GOC) and the station licences (Ship Radio Licence vs Ship Portable Radio Licence); watchkeeping obligations, record keeping, secrecy, and the prohibited transmissions list.
-
Fortinet SD-WAN Jinja Orchestrator — Part 1: The Two Template Engines
Part 1 of three. FortiManager hosts two distinct template engines — classic CLI templates and Jinja CLI templates — and they aren't interchangeable. Thesis: Jinja for shape-varying network plumbing, CLI templates for shape-fixed system config, and a real deployment uses both.
-
Fortinet SD-WAN Jinja Orchestrator — Part 2: Anatomy and Patterns
Part 2 of three. We open Fortinet's sdwan-advpn-reference repo and read it end-to-end: the dynamic-bgp-on-lo directory, the four reference Project Templates, the inventory contract that feeds them, and the three Jinja patterns the templates lean on heaviest — loops, ipaddr derivation, and imports.
-
Fortinet SD-WAN Jinja Orchestrator — Part 3: PSK to Cert With FMG as CA
Part 3 of three. We take the single-hub PSK example from the reference repo and migrate it to certificate-based IPSec, with FortiManager as the CA. FMG CA setup, per-device enrolment, Project Template flag flip, what changes in the rendered config and what doesn't.
-
Arista (VMware) SD-WAN Deep Dive — Part 1: Components, Gateways, and the Three Planes
First post in a five-part deep dive on Arista (VMware) SD-WAN. We start with the components — Edges, Cloud Gateways, Partner Gateways, Orchestrator, Controller — and the three planes that bind them. Sets up a UK ISP scenario that the rest of the series will pick apart.
-
Arista (VMware) SD-WAN Deep Dive — Part 2: Routing — Overlay, Underlay, BGP, and the Gateway as Route Reflector
Part 2 of five. How prefixes get into the overlay, how the Gateway redistributes them, the three Cloud VPN modes, BGP at the Edge and the Partner Gateway, and the route-selection logic that decides which underlay a flow ends up on.
-
Arista (VMware) SD-WAN Deep Dive — Part 3: The Data Plane — VCMP, DMPO, and Per-Flow Steering
Part 3 of five. Wire-level look at VCMP encapsulation, the DMPO measurement loop, Business Policy and per-flow steering, and the on-path remediation (FEC, duplication, jitter buffer) that lets the overlay tolerate underlays that misbehave.
-
Arista (VMware) SD-WAN Deep Dive — Part 4: Topology Walkthroughs — MPLS-only meets Internet-only Across Continents
Part 4 of five. The GlobalCo packet-flow walkthroughs — Newcastle to HQ, Bristol to HQ, Chicago to a UK Cloud Gateway (why it fails), and the headline: MPLS-only Chicago talking to Internet-only Shanghai via a Partner Gateway, hop by hop.
-
Arista (VMware) SD-WAN Deep Dive — Part 5: Best Practice, Failure Modes, and a Design Checklist
Part 5 of five. Gateway design rules, Partner Gateway sizing, segmentation, security service insertion, MTU, the failure modes that catch teams the first time, and a one-page design checklist for an Arista (VMware) SD-WAN rollout.
-
Finding the Hop That's Eating Your Packets: pmtud-sweeper
A per-hop Path-MTU sweeper that binary-searches the largest DF-set packet each hop will pass, then names the router that's clamping your tunnel. ICMP, UDP, TCP-SYN, end-to-end TCP MSS — pick the probe your network actually lets through.
-
Who Sent That RST? Forensic Classification of TCP Resets with rst-forensics
A pure-Python classifier that takes a TCP RST and tells you whether the server, a mid-path firewall, or the client actually sent it. Six independent scorers — TTL, IP-ID, window, options, sequence, and timing — vote on the origin so the verdict is reproducible instead of tribal.
-
Diffing FortiGate configs the way an admin reads them — fgt-config-diff
A small Python tool that parses FortiGate configs into a tree, aligns nodes by section path and edit key, and reports what was added, removed, or modified — in the language of policies and objects, not unified-diff line numbers. CLI plus a Flask web UI.
-
spectre-meltdown-checker: Auditing CPU Vulnerability Mitigations on Linux
A deep dive into spectre-meltdown-checker — how it actually works under the hood, what it tells you that /sys/devices/system/cpu/vulnerabilities does not, the alternative tools (lscpu, vendor microcode checkers, in-tree kernel reporting), and when to reach for each one on a production Linux box.
-
SDWAN Resilience Part 1: Design and Assumptions
A multi-part deep dive into building a resilient Fortinet SD-WAN on a real, slightly unfashionable topology — HA FortiManager, dual hubs in active/standby, no DCI, and an independent DCE. Part 1 lays out the topology, the AS plan, and challenges the design choices up front.
-
SDWAN Resilience Part 2: BGP on Loopback
Why we peer BGP on loopbacks instead of tunnel-interface IPs, the FortiOS dynamic-IPsec config that makes it work, the spoke-side reciprocal config, and why hub-to-hub iBGP is the wrong answer in a no-DCI active/standby topology.
-
SDWAN Resilience Part 3: DC to DCE Routing — Static, OSPF, and BGP
The hub FortiGate has to glue the spoke overlay to the data-centre environment that hosts the services. Static, OSPF, and eBGP each work — but only two of them fail correctly when the DCE peering goes down on one DC and not the other.
-
SDWAN Resilience Part 4: BFD and Convergence Tuning
Default BGP timers detect failure in three minutes. That's unacceptable for active/standby SD-WAN. This post is the timer-math: DPD vs BFD on tunnels, BFD-for-BGP, holdtime ratios, the Graceful Restart trade-off, and what convergence numbers each combination actually delivers.
-
SDWAN Resilience Part 5: Performance SLAs and Service Steering
BGP and BFD catch every failure that takes a tunnel or session with it. They don't catch the failure where everything looks healthy at the network layer but the application is gone. That's the gap SD-WAN Performance SLAs fill — and the place where careful health-check design earns its keep.
-
SDWAN Resilience Part 6: Building It Right — Full DCI and Dual-Active ADVPN
The first five parts defended a topology with real constraints. This final post is the version without those constraints — Fortinet's reference design: full DCI, dual-active ADVPN, iBGP between hubs, symmetric routing, ECMP across both paths. The full shebang.
-
Designing an Arista SD-WAN Spoke with Enhanced HA, Dual DIA, and OSPF
Building a resilient Arista (formerly VeloCloud) SD-WAN spoke: two Edges in Enhanced HA, two DIA circuits wired the optimal way, a multi-VLAN LAN, OSPF for route exchange, and the caveats that bite in practice.
-
Generating a Constant Stream of Web Traffic with Python
A small, polite Python script that round-robins through ten popular public sites at a configurable rate — useful for homelab traffic, exercising a proxy, or learning the requests library. Walks through the full code, the safety rails, and how to run it under tmux.
-
Adding Vendor Route-Table Parsers to route-compare, and Why the Work Lives on a Branch
A follow-up on the route-compare tool: I taught it to read raw show ip route, get router info routing-table all, show route, and show routing route output directly — no Excel cleanup step. The work lives on a branch rather than on main, and this is why.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 1: Ingress, NP7, and the Fast Path
Where the packet is born on a 50G FortiGate. From the wire and DMA, through the NP7 SoC's session cache, IPSA, NTurbo, and the moment a packet either flies through hardware or crosses the bridge into the kernel slow path.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 2: Stateful Inspection, Session Lookup, and Anti-Spoofing
The packet has been punted from the NP7 to the kernel. Now FortiOS does the things ASICs cannot: IP integrity, DoS sensors, RPF, session table lookup, helpers, and the state machine that decides whether this is a brand new flow or one we already know.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 3: Routing, Policy Routes, and SD-WAN Service Rules
The packet has a session entry and now needs to know where to go. FortiOS resolves that in a strict order: policy routes, then SD-WAN service rules, then the FIB. Each layer has its own logic, its own match criteria, and its own diagnostic surface.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 4: Firewall Policy, NAT, and Security Profiles
Routing told the packet where it's going. Firewall policy decides whether it's allowed, NAT rewrites it, and security profiles inspect it. Inside the iprope chain, central NAT vs policy NAT, VIPs, IP pools, and the flow-vs-proxy UTM pipeline.
-
A Day in the Life of a Packet on a 50G FortiGate, Part 5: Egress, NPU Offload, and the Full Troubleshooting Cookbook
The packet is decided. Now it has to actually leave. Egress shaping, NPU offload re-evaluation, IPsec encap, ARP, transmit. Then a single-page reference of every diagnose, get, and show command from across this series.
-
Comparing Route Tables Between Two Sources: A Small Python Tool for Audits and Migrations
A self-contained Python utility that takes two Excel route lists, normalises every prefix through ipaddress, finds exact matches and overlaps, preserves invalid entries for audit, and writes a colour-coded Excel report plus CSVs. Includes install guide and full source.
-
Configuring RADIUS Admin Auth on FortiGate SD-WAN: RBAC and Three User Profiles (Part 2 of 2)
Part 2 of 2 on RADIUS for FortiGate SD-WAN. Walks through the FortiOS config end-to-end — RADIUS server entry, group-to-profile mapping via VSA, three worked RBAC examples (senior engineer, NOC operator, compliance auditor), and the verification commands you'll need.
-
NSE5 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a 10-part study series for the Fortinet NSE 5 / FCP FortiManager Administrator certification. Covers the exam logistics, the official curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE5 Part 10: Advanced Features and Integrations
Part 10 — the final post in the NSE5 study series. Covers the advanced features that make FortiManager more than a config pusher: FortiGuard distribution, scripting, the JSON-RPC API, SSO, and FortiAnalyzer integration.
-
NSE5 Part 2: Initial Configuration and System Settings
Part 2 of the NSE5 study series — covers the day-one FortiManager configuration: network, admin access, system time, DNS, FortiGuard, OFTP, the on-disk file structure, and the diagnostic commands worth memorising before anything else.
-
NSE5 Part 3: High Availability
Part 3 of the NSE5 study series — covers the FortiManager HA cluster: primary and secondary roles, the sync mechanics, monitor IPs, manual vs automatic failover, and what to do when the cluster splits.
-
NSE5 Part 4: Administrative Domains (ADOMs)
Part 4 of the NSE5 study series — covers Administrative Domains: normal vs advanced ADOMs, version locking, ADOM modes, RBAC scope, and the per-ADOM revision history that underpins the rest of the FortiManager workflow.
-
NSE5 Part 5: Device Registration and Provisioning
Part 5 of the NSE5 study series — covers device registration: the FGFM tunnel, manual vs automatic registration, model devices, zero-touch provisioning, and the install operations that turn a registered device into a managed device.
-
NSE5 Part 6: Device-Level Configuration and Templates
Part 6 of the NSE5 study series — covers the FortiManager template engine: provisioning templates, CLI templates, SD-WAN, IPsec, and certificate templates, and how they compose into a single per-device install.
-
NSE5 Part 7: Policy and Objects
Part 7 of the NSE5 study series — covers ADOM-level policy management: policy packages, the object database, dynamic objects, install previews, install logs, and the cleanup workflows that keep the database lean.
-
NSE5 Part 8: Workflow, Workspace Mode and Revision Control
Part 8 of the NSE5 study series — covers workspace mode and the workflow approval engine: ADOM locking, read/write sessions, the workflow state machine, and how to recover an ADOM that two admins are fighting over.
-
NSE5 Part 9: Diagnostics and Troubleshooting
Part 9 of the NSE5 study series — covers the FortiManager diagnostic toolbox: device-manager diagnostics, the FGFM tunnel, install-failure forensics, oftpd, packet capture, and the debug commands worth knowing under exam pressure.
-
RADIUS vs TACACS+ on FortiGate SD-WAN: Choosing the Right AAA Backend (Part 1 of 2)
Part 1 of 2 on RADIUS for FortiGate SD-WAN. Covers the protocol differences vs TACACS+, the RADIUS server options worth knowing (NPS, FortiAuthenticator, FreeRADIUS, ISE, Okta, Duo, Entra), and when each protocol is the right call for FortiOS.
-
Resilient DNS at Home: Building an HA Pi-hole Pair on Raspberry Pi
A complete walkthrough for installing Pi-hole on a Raspberry Pi running current Raspbian, then turning a single box into a highly available pair using keepalived and Orbital Sync — with the config examples and show commands you'll actually use.
-
Building a FortiManager Lab on Proxmox — Part 1: Lab Goals, Compute Sizing and Proxmox Host Preparation
Part 1 of a five-part series on building a FortiManager lab on Proxmox. Covers lab goals, compute sizing for FMG and FGT VMs, host prerequisites, and a clean Proxmox 8.x baseline before the qcow2 build in Part 2.
-
Building a FortiManager Lab on Proxmox — Part 2: Obtaining the Image, qcow2 Conversion and First Boot
Part 2 of the FortiManager-on-Proxmox series. Walks through obtaining the KVM image from the Fortinet portal, validating the qcow2 files, building the VM shell with the right machine type and SCSI controller, importing both disks, and first-boot verification.
-
Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab
Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.
-
Building a FortiManager Lab on Proxmox — Part 4: A Lab Edge FortiGate VM in Front of FortiManager
Part 4 of the FortiManager-on-Proxmox series. Builds a FortiGate-VM as the lab edge in front of FortiManager, with four NICs mapped to the lab bridges, a scoped policy set, FortiGuard pinhole, local-in policy hardening, and the deny-with-log rule that proves the boundary works.
-
Building a FortiManager Lab on Proxmox — Part 5: Registering Managed FortiGates, ADOMs and Policy Package Installs
Part 5 of the FortiManager-on-Proxmox series. Builds two managed FortiGate VMs, registers them via FGFM through the lab edge, splits them across two ADOMs, deploys a shared policy package with FMG, exercises revision history and rollback, and turns the lab into a snapshotted training platform.
-
FortiOS 7.6.6 SD-WAN: VRF1 Transport and Loopback Design
A refined VRF reference design for FortiOS 7.6.6 — transport in VRF 1, separate transport and management loopbacks, complete management-plane pinning, and NPU-VLINK guidance for inter-VRF acceleration.
-
MP-BGP and VRFs on FortiGate SD-WAN
A practical reference design using MP-BGP (VPNv4) and VRFs on FortiOS to keep management (VRF20), customer SD-WAN (VRF30), and Guest Wi-Fi DIA (VRF99) isolated end-to-end. Includes config, traffic flows, and the gotchas that bite people in production.
-
AI Part 1: Why I Gave Claude Write Access to My Site
A year ago I would have called this irresponsible. Today an MCP server lets Claude write to my site. The trust model isn't "I trust the model" — it's "I trust the blast radius".
-
AI Part 2: The Minimum Viable MCP Server
A personal MCP server is a tiny HTTP service. The spec accommodates a lot of complexity that, if you're the only user, you can stop building. Here's the inventory of what I have running, and what I deliberately left out.
-
AI Part 3: Designing Tools for an LLM, Not for Yourself
The verb in the tool name is the most important part. Descriptions answer the questions a chooser asks, not the questions a maintainer asks. Allowlists fail closed; blocklists fail open. Error messages are also instructions.
-
AI Part 4: Safety Rails — Allowlists, Atomic Writes, Audit Logs, Rollback
About two hundred lines of code, none of them clever, all of them the reason I sleep fine with the service running. Allowlists, atomic writes, an audit log, and a manual rollback path.
-
AI Part 5: Prompt-Driven Authoring in Practice
What's it actually like to use? The honest answer, including where the loop is tight, where it's still clumsy, and the three things I'd warn anyone trying this.
-
AI Part 6: Connector Quirks, Cache Traps, and What I'd Do Differently
Six months in. The cache layer you don't see, OAuth refresh edge cases, and the short list of decisions I'd make differently if I were doing this again from scratch.
-
Building a Polished CLI Tool with Click and Rich: Packaging Network Automation for Other Humans
Turn a working network-automation script into a tool your colleagues will use — moving from argparse to Click, formatted output with Rich, environment-loaded secrets, and pip-installable packaging.
-
iptables to nftables: Migrating Production Firewalls Without Downtime
A working engineer's guide to moving from iptables to nftables on production Linux firewalls — the mental model shift, where iptables-translate misleads you, atomic ruleset swaps, and a clean rollback strategy that means a bad migration costs you seconds, not your weekend.
-
Linux Networking from the Ground Up: Network Namespaces, veth Pairs, and Building a Multi-Router Lab on One Host
Build a real multi-router BGP and OSPF lab on a single Linux box using network namespaces, veth pairs, and FRRouting — no VMs, no containers, no GNS3. A practical walk-through of the primitives that GNS3, Docker, and Kubernetes are quietly using under the hood.
-
NAPALM vs Netmiko: Vendor-Agnostic Config vs Raw CLI, and When You Want Both
A practical comparison of NAPALM and Netmiko for network automation — where Netmiko's raw CLI access is the right answer, where NAPALM's compare/replace/rollback abstraction earns its keep, and the hybrid pattern that most production tooling actually settles on.
-
Netmiko in Practice: From a Show-Command Script to a Repeatable Audit Tool
A working network engineer's guide to Netmiko — starting from a small repo of mine that runs show commands across a JSON inventory, and extending it into something you can use as a real audit tool with structured output, concurrency, secure credentials, and a sane dry-run for config changes.
-
Network Emulation with NETEM: Simulating Latency, Loss, Jitter, and Bandwidth Constraints for Realistic Lab Testing
A practical guide to using Linux's NETEM qdisc to bend networks to your will — adding latency, loss, jitter, duplication, reordering, and bandwidth caps so you can test how applications and protocols actually behave when the network is anything other than perfect.
-
Nornir for Network Engineers: Running Automation Across an Inventory at Scale
A practical introduction to Nornir for engineers whose Netmiko script has grown too big — inventory plugins, structured tasks, parallelism, filtering by site or role, and integrating Netmiko, NAPALM, and pyATS as connection plugins. The framework you reach for once one box has become a hundred.
-
Parsing show Command Output: TextFSM, Genie, and TTP for Structured Data
A practical comparison of the three main ways to turn Cisco show output into structured Python data — TextFSM with NTC Templates, Genie/pyATS, and TTP — with worked examples and rules of thumb for picking the right one.
-
Route Leaking Between VRFs on Cisco IOS: From BGP First Principles to Advanced Manipulation
A practical end-to-end walkthrough of route leaking between VRFs on Cisco IOS — starting with the BGP and VRF fundamentals you need to actually understand what's happening, the static and MP-BGP options for the leak itself, and the route-map machinery that lets you control exactly what crosses.
-
SSH Hardening Beyond the Basics: Certificate Authorities, Bastion Patterns, and Session Auditing
A production-grade SSH setup that goes beyond disabling password auth — running your own SSH CA with short-lived user and host certificates, ProxyJump bastions, ForceCommand restrictions, and recording sessions with tlog and auditd.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.
-
NSE4 Exam Syllabus: Study Roadmap (Part 1 of 10)
Part 1 of a study series for the Fortinet NSE 4 / FCP FortiGate Administrator certification. Covers exam logistics, the official 16-lesson curriculum grouped into topic buckets, and the roadmap for the rest of the series.
-
NSE4 Part 10: High Availability
Part 10 — the final post in the NSE4 study series. Covers FGCP, active-passive vs active-active, heartbeat and monitor interfaces, session synchronisation, failover behaviour, and the diagnostic output you'll be asked to interpret.
-
NSE4 Part 2: Initial Configuration & the Security Fabric
Part 2 of the NSE4 study series — covers the day-one FortiGate configuration (interfaces, operation modes, admin access, DHCP, FortiGuard) and how the Security Fabric stitches multiple FortiGates and Fortinet products together.
-
NSE4 Part 3: Firewall Policies & NAT
Part 3 of the NSE4 study series — firewall policy structure, lookup order, NGFW modes, central vs policy NAT, source NAT pools, virtual IPs, and the session helpers behind protocol fixups.
-
NSE4 Part 4: Authentication, FSSO & Certificates
Part 4 of the NSE4 study series — local and remote authentication (LDAP, RADIUS), captive portal, Fortinet Single Sign-On (FSSO) modes, and certificate operations including SSL deep inspection.
-
NSE4 Part 5: Logging, Monitoring & Diagnostics
Part 5 of the NSE4 study series — log categories and severity, local vs remote storage, FortiAnalyzer and syslog forwarding, threat weight scoring, and the diagnostic commands you actually reach for under pressure.
-
NSE4 Part 6: Security Profiles — Web, App Control, AV, IPS, DoS
Part 6 of the NSE4 study series — the five security profiles you attach to firewall policies: web filter, application control, antivirus, intrusion prevention, and denial-of-service.
-
NSE4 Part 7: SSL VPN
Part 7 of the NSE4 study series — SSL VPN modes (web, tunnel, full), portals, realms, MFA, split tunnelling and the diagnostic commands for tracking down a stuck client.
-
NSE4 Part 8: IPsec VPN
Part 8 of the NSE4 study series — IKEv1 vs IKEv2, route-based vs policy-based, site-to-site and dial-up, NAT traversal, dead peer detection, and the two diagnostic commands that separate a Phase 1 problem from a Phase 2 problem.
-
NSE4 Part 9: Routing & SD-WAN
Part 9 of the NSE4 study series — static and policy routing, distance vs priority, RPF, OSPF and BGP basics, and how SD-WAN turns a pile of WAN links into a single steered zone with performance SLAs.
-
Route Leaking Between VRFs on FortiGate: Why It's Trickier Than You Think
VRF route leaking is a daily reality in any multi-tenant or shared-services network design. On FortiGate it's harder to find — and harder to get right — than the equivalent on Cisco or Juniper. Here's how to do it, why it's easy to miss, and the practical pitfalls.