Re: [fw-wiz] Scheduling PIX commands - Firewalls

This is a discussion on Re: [fw-wiz] Scheduling PIX commands - Firewalls ; Ian, This is why you are pad the big bucks (or pounds). Even if there was a way of executing a clear xlate (or any other connection impacting command) you should be sitting in front of a console within a ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: [fw-wiz] Scheduling PIX commands

  1. Re: [fw-wiz] Scheduling PIX commands

    Ian,

    This is why you are pad the big bucks (or pounds).

    Even if there was a way of executing a clear xlate (or any other connection
    impacting command) you should be sitting in front of a console within a few
    minutes walk of the actual appliance when you execute the command.

    You should also be thinking about testing that the Firewall and associated
    equipment is back up and running properly after the action as part of your
    change control activity.

    Liberty,

    Brian

    On 7/9/08 12:00 PM, "firewall-wizards-request@listserv.icsalabs.com"
    wrote:

    > Date: Thu, 03 Jul 2008 15:22:49 +0100
    > From: "Ian Rarity"
    > Subject: [fw-wiz] Scheduling PIX commands
    > To: "Firewall Wizards Security Mailing List"
    >
    > Message-ID: <486CEECC.30AB.00D5.0@espc.com>
    > Content-Type: text/plain; charset=US-ASCII
    >
    > Hi all,
    >
    > We've just made some changes to our PIX config, and we need to clear
    > the xlates to make the changes fully live. The only problem with this
    > is that we also have another system that will react badly (to put it
    > mildly) to the state of all its connections disappearing when we do
    > this. This system gets an hour's downtime at 2am, so the ideal time to
    > clear the xlates on the PIX seems obvious.
    > The only problem is that, although I'm mainly nocturnal, I really can
    > think of better things to be doing at 2am than sitting in our server
    > room. Does anyone know of a way to schedule commands to run at a
    > specified time on a PIX 6.3 firewall?
    >
    > Ta,
    > IR.
    >
    > *********************************
    > Ian Rarity
    > Technical Engineer
    > ESPC (UK) Ltd.
    > T: (44)131 624 8000
    > F: (44)131 624 8509
    > http://www.espc.com ( http://www.espc.com/ )


    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] Scheduling PIX commands

    I know its a good idea to be with in reboot distance of a device if
    you are changing the configuration, but if all you are doing is
    clearing the xlate table, i dont see how that could go very wrong.


    @OP
    I could be wrong, but wouldnt 99% of your connections time out and
    clear from the xlate table within 24 hours anyway? If you have to wait
    till the middle of the night anyway, why not just let it ride out?(not
    sure if thats acceptable or not in your situation)


    I ask especially because i have considered this many times myself

    2008/8/4 Brian Ford :
    > Ian,
    >
    > This is why you are pad the big bucks (or pounds).
    >
    > Even if there was a way of executing a clear xlate (or any other connection
    > impacting command) you should be sitting in front of a console within a few
    > minutes walk of the actual appliance when you execute the command.
    >
    > You should also be thinking about testing that the Firewall and associated
    > equipment is back up and running properly after the action as part of your
    > change control activity.
    >
    > Liberty,
    >
    > Brian
    >
    > On 7/9/08 12:00 PM, "firewall-wizards-request@listserv.icsalabs.com"
    > wrote:
    >
    >> Date: Thu, 03 Jul 2008 15:22:49 +0100
    >> From: "Ian Rarity"
    >> Subject: [fw-wiz] Scheduling PIX commands
    >> To: "Firewall Wizards Security Mailing List"
    >>
    >> Message-ID: <486CEECC.30AB.00D5.0@espc.com>
    >> Content-Type: text/plain; charset=US-ASCII
    >>
    >> Hi all,
    >>
    >> We've just made some changes to our PIX config, and we need to clear
    >> the xlates to make the changes fully live. The only problem with this
    >> is that we also have another system that will react badly (to put it
    >> mildly) to the state of all its connections disappearing when we do
    >> this. This system gets an hour's downtime at 2am, so the ideal time to
    >> clear the xlates on the PIX seems obvious.
    >> The only problem is that, although I'm mainly nocturnal, I really can
    >> think of better things to be doing at 2am than sitting in our server
    >> room. Does anyone know of a way to schedule commands to run at a
    >> specified time on a PIX 6.3 firewall?
    >>
    >> Ta,
    >> IR.
    >>
    >> *********************************
    >> Ian Rarity
    >> Technical Engineer
    >> ESPC (UK) Ltd.
    >> T: (44)131 624 8000
    >> F: (44)131 624 8509
    >> http://www.espc.com ( http://www.espc.com/ )

    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >




    --
    -Lawrence
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] Scheduling PIX commands

    Yes the xlates should timeout but that all depends on how they are
    configured. you can create a global timeout or one that is done
    through your translations such as with the static command. So in
    short what is the timeout configured for this system, by default i
    think the timeout is set to 3 hours anyways. So if you went ahead and
    made the xlate change it should start using the new translation and
    the old xlate will persist until they are idle for 3 hours (if
    configured for the default).
    Now if this system is never idle for 3 hours but there are moments
    where it is idle for at least one minute you could change the timeout
    variable for this one translation (if a one to one static is set) or
    globally for one minute. Once you see that it has been idle for at
    least a minute then it should start using the new translation. Now
    this is one convuluted way of doing it whereas a clear xlate should
    only kill the current active sessions and will be immediately rebuilt
    on the next couple packets.

    Kevin

    On Mon, Aug 4, 2008 at 10:19 PM, Lord Sporkton wrote:
    > I know its a good idea to be with in reboot distance of a device if
    > you are changing the configuration, but if all you are doing is
    > clearing the xlate table, i dont see how that could go very wrong.
    >
    >
    > @OP
    > I could be wrong, but wouldnt 99% of your connections time out and
    > clear from the xlate table within 24 hours anyway? If you have to wait
    > till the middle of the night anyway, why not just let it ride out?(not
    > sure if thats acceptable or not in your situation)
    >
    >
    > I ask especially because i have considered this many times myself
    >
    > 2008/8/4 Brian Ford :
    >> Ian,
    >>
    >> This is why you are pad the big bucks (or pounds).
    >>
    >> Even if there was a way of executing a clear xlate (or any other connection
    >> impacting command) you should be sitting in front of a console within a few
    >> minutes walk of the actual appliance when you execute the command.
    >>
    >> You should also be thinking about testing that the Firewall and associated
    >> equipment is back up and running properly after the action as part of your
    >> change control activity.
    >>
    >> Liberty,
    >>
    >> Brian
    >>
    >> On 7/9/08 12:00 PM, "firewall-wizards-request@listserv.icsalabs.com"
    >> wrote:
    >>
    >>> Date: Thu, 03 Jul 2008 15:22:49 +0100
    >>> From: "Ian Rarity"
    >>> Subject: [fw-wiz] Scheduling PIX commands
    >>> To: "Firewall Wizards Security Mailing List"
    >>>
    >>> Message-ID: <486CEECC.30AB.00D5.0@espc.com>
    >>> Content-Type: text/plain; charset=US-ASCII
    >>>
    >>> Hi all,
    >>>
    >>> We've just made some changes to our PIX config, and we need to clear
    >>> the xlates to make the changes fully live. The only problem with this
    >>> is that we also have another system that will react badly (to put it
    >>> mildly) to the state of all its connections disappearing when we do
    >>> this. This system gets an hour's downtime at 2am, so the ideal time to
    >>> clear the xlates on the PIX seems obvious.
    >>> The only problem is that, although I'm mainly nocturnal, I really can
    >>> think of better things to be doing at 2am than sitting in our server
    >>> room. Does anyone know of a way to schedule commands to run at a
    >>> specified time on a PIX 6.3 firewall?
    >>>
    >>> Ta,
    >>> IR.
    >>>
    >>> *********************************
    >>> Ian Rarity
    >>> Technical Engineer
    >>> ESPC (UK) Ltd.
    >>> T: (44)131 624 8000
    >>> F: (44)131 624 8509
    >>> http://www.espc.com ( http://www.espc.com/ )

    >>
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@listserv.icsalabs.com
    >> https://listserv.icsalabs.com/mailma...rewall-wizards
    >>

    >
    >
    >
    > --
    > -Lawrence
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  4. Re: [fw-wiz] Scheduling PIX commands

    >>> "Lord Sporkton" 05/08/2008 03:19 >>>
    >I know its a good idea to be with in reboot distance of a device if
    >you are changing the configuration, but if all you are doing is
    >clearing the xlate table, i dont see how that could go very wrong.


    Neither did I, until the first time I tried it on our live system.

    >I could be wrong, but wouldnt 99% of your connections time out and
    >clear from the xlate table within 24 hours anyway? If you have to

    wait
    >till the middle of the night anyway, why not just let it ride

    out?(not
    >sure if thats acceptable or not in your situation)


    That would be the case for most normal apps, yes. However, the
    lumbering JBoss-based monstrosity that was my main concern for this job
    doesn't like it at all, and needs the actual application to be restarted
    before it'll start playing nice again. I ended up using a cronned
    expect script, for what it's worth.

    Ta,
    IR.

    *********************************
    Ian Rarity
    Technical Engineer
    ESPC (UK) Ltd.
    T: (44)131 624 8000
    F: (44)131 624 8509
    http://www.espc.com ( http://www.espc.com/ )


    ************************************************** *****************
    Private and Confidential: This e-mail transmission is strictly
    confidential and intended solely for the addressee. It may contain
    privileged and confidential information and if you are not the
    intended recipient, you must not copy, disclose, distribute or
    take any action in reliance on it. If you have received this
    e-mail in error, please delete it and notify our E-mail Systems
    Administrator on +44 (0) 131 624 8000. ESPC (UK) Ltd does not
    accept any liability for any harm that may be caused to the
    recipient's system or data by this message or any attachment.

    ESPC (UK) Ltd is a company registered under the Companies
    Acts in Scotland (Registered Number SC203535), and having its
    registered office at 90A George Street, Edinburgh, Midlothian
    EH2 3DF.

    ESPC (UK) Limited is authorised and regulated by the Financial
    Services Authority.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread