Re: Fortinet vs. Palo Alto

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

Not much of the "first time asked" in the last year or so.  We're big enough that almost any product that works for us 
is imagined to be a potential US-Federal sale, so v6 is not completely unknown.

Known, ready, capable, fully-featured... it's pretty much all on the lefthand side of the scale.  A few in the middle.

For fun, ask an Enterprise Vulnerability Management vendor about asset discovery and v6 sometime.  You can really 
separate those with clue from the poseurs.

The really long poles, however, seem to be in address-based policy enforcement, network management, and network 
monitoring.  There's an *awful* lot of fields in databases and UIs that need to be changed.  As well, the 
field-validation routines.  Those are just the ones I've seen recently.

Setting up the networks is work, especially for those who haven't run multiple addressing and service schemes over a 
single network like us graybeards did back in the day.  The applications (server or client) that will have to talk 
dual-stack or 6-only are gonna be work.  Touching all the applications to monitor and manage all the information around 
v4+v6... that's gonna be quite an effort.

And there's gonna be surprises.  "Hey, this is gonna be OK - we'll terminate v6 at the front of the load balancer, 
leave all the datacenter apps on v4!  Win!"
"Didn't you mention once that we inject a synthesized header into the inside http stream from the LB to the app 
servers, carrying the apparent global IP address of the client inside?"
"Oh.   Um..."
"Don't we write that into a table for session-state tarcking?  And log it?"
"Hm."

   -jml

> > > Valdis Kletnieks <Valdis.Kletnieks () VT EDU> 2011-02-25 15:37 >>>
On Fri, 25 Feb 2011 15:30:35 CST, John Ladwig said:
> I ask that question a lot.

How often do the vendors lie and say "You're the first customer to ask about IPv6"? ;)