Re: [fw-wiz] Scheduling PIX commands




Lord Spork,

I suggested being within ear shot of the rack containing the Firewall at 2
AM when I read this:

QUOTE
The only problem with this
is that we also have another system that will react badly (to put it
mildly) to the state of all its connections disappearing when we do
this. This system gets an hour's downtime at 2am, so the ideal time to
clear the xlates on the PIX seems obvious.
UNQUOTE

I?m seeing more and more (web) application development that are (heavily)
dependent of monitoring the state of connections (back to the client and /
or off to other data sources on a DMZ or internal network). Add to the mix
that these types of applications are closely monitored so you might want to
annotate the logs (or make a note) about the application restart and
associated FW clear xlate action.

If you don¹t do it right and it doesn¹t work you¹ll wish you¹d been awake at
2 AM and at work.

Liberty,

Brian

Date: Mon, 4 Aug 2008 19:19:08 -0700
From: "Lord Sporkton" <lordsporkton@xxxxxxxxx>
Subject: Re: [fw-wiz] Scheduling PIX commands
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID:
<a1bf75ae0808041919v525fbf93sf4ceddfb4f26568@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

I know its a good idea to be with in reboot distance of a device if
you are changing the configuration, but if all you are doing is
clearing the xlate table, i dont see how that could go very wrong.


@OP
I could be wrong, but wouldnt 99% of your connections time out and
clear from the xlate table within 24 hours anyway? If you have to wait
till the middle of the night anyway, why not just let it ride out?(not
sure if thats acceptable or not in your situation)


I ask especially because i have considered this many times myself

2008/8/4 Brian Ford <brford@xxxxxxxxx>:
Ian,

This is why you are pad the big bucks (or pounds).

Even if there was a way of executing a clear xlate (or any other connection
impacting command) you should be sitting in front of a console within a few
minutes walk of the actual appliance when you execute the command.

You should also be thinking about testing that the Firewall and associated
equipment is back up and running properly after the action as part of your
change control activity.

Liberty,

Brian

On 7/9/08 12:00 PM, "firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx"
<firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx> wrote:

Date: Thu, 03 Jul 2008 15:22:49 +0100
From: "Ian Rarity" <Ian.Rarity@xxxxxxxx>
Subject: [fw-wiz] Scheduling PIX commands
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx>
Message-ID: <486CEECC.30AB.00D5.0@xxxxxxxx>
Content-Type: text/plain; charset=US-ASCII

Hi all,

We've just made some changes to our PIX config, and we need to clear
the xlates to make the changes fully live. The only problem with this
is that we also have another system that will react badly (to put it
mildly) to the state of all its connections disappearing when we do
this. This system gets an hour's downtime at 2am, so the ideal time to
clear the xlates on the PIX seems obvious.
The only problem is that, although I'm mainly nocturnal, I really can
think of better things to be doing at 2am than sitting in our server
room. Does anyone know of a way to schedule commands to run at a
specified time on a PIX 6.3 firewall?

Ta,
IR.

*********************************
Ian Rarity
Technical Engineer
ESPC (UK) Ltd.
T: (44)131 624 8000
F: (44)131 624 8509
http://www.espc.com ( http://www.espc.com/ )

http://onthefirewall.blogspot.com/


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: VPN
    ... I have now configured protocol 47 gre in my pix to permit ... external router/ firewall setup at home. ... >> connect to a computer running windows 2000 professional ... >> I have enabled the VPN to accept connections in the ...
    (microsoft.public.win2000.networking)
  • 404 trying to access pdm
    ... Trying to get pdm working on our PIX 6.2 Firewall, ... luck. ... I have it enabled and set up to accept connections from my ...
    (comp.dcom.sys.cisco)
  • Re: Protecting PIX Firewall at the Perimeter Router
    ... Put an OpenBSD firewall in front of the PIX. ... >> PIX will be doing NAT, protecting DMZ machines, and IPSec connections. ...
    (Security-Basics)
  • RE: Firewall in HA: how VRRP works?
    ... Depends on the firewall. ... In the PIX there are two failover type. ... failover does not failover the connections. ...
    (Security-Basics)
  • Re: What is the Pattern here ?
    ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    (comp.security.firewalls)