Re: [fw-wiz] Scheduling PIX commands
- From: Brian Ford <brford@xxxxxxxxx>
- Date: Tue, 05 Aug 2008 10:58:40 -0400
Lord Spork,
I suggested being within ear shot of the rack containing the Firewall at 2
AM when I read this:
QUOTE
UNQUOTEThe only problem with this
is that we also have another system that will react badly (to put it
mildly) to the state of all its connections disappearing when we do
this. This system gets an hour's downtime at 2am, so the ideal time to
clear the xlates on the PIX seems obvious.
I?m seeing more and more (web) application development that are (heavily)
dependent of monitoring the state of connections (back to the client and /
or off to other data sources on a DMZ or internal network). Add to the mix
that these types of applications are closely monitored so you might want to
annotate the logs (or make a note) about the application restart and
associated FW clear xlate action.
If you don¹t do it right and it doesn¹t work you¹ll wish you¹d been awake at
2 AM and at work.
Liberty,
Brian
Date: Mon, 4 Aug 2008 19:19:08 -0700
From: "Lord Sporkton" <lordsporkton@xxxxxxxxx>
Subject: Re: [fw-wiz] Scheduling PIX commands
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Message-ID:
<a1bf75ae0808041919v525fbf93sf4ceddfb4f26568@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1
I know its a good idea to be with in reboot distance of a device if
you are changing the configuration, but if all you are doing is
clearing the xlate table, i dont see how that could go very wrong.
@OP
I could be wrong, but wouldnt 99% of your connections time out and
clear from the xlate table within 24 hours anyway? If you have to wait
till the middle of the night anyway, why not just let it ride out?(not
sure if thats acceptable or not in your situation)
I ask especially because i have considered this many times myself
2008/8/4 Brian Ford <brford@xxxxxxxxx>:
Ian,
This is why you are pad the big bucks (or pounds).
Even if there was a way of executing a clear xlate (or any other connection
impacting command) you should be sitting in front of a console within a few
minutes walk of the actual appliance when you execute the command.
You should also be thinking about testing that the Firewall and associated
equipment is back up and running properly after the action as part of your
change control activity.
Liberty,
Brian
On 7/9/08 12:00 PM, "firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx"
<firewall-wizards-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Date: Thu, 03 Jul 2008 15:22:49 +0100
From: "Ian Rarity" <Ian.Rarity@xxxxxxxx>
Subject: [fw-wiz] Scheduling PIX commands
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx>
Message-ID: <486CEECC.30AB.00D5.0@xxxxxxxx>
Content-Type: text/plain; charset=US-ASCII
Hi all,
We've just made some changes to our PIX config, and we need to clear
the xlates to make the changes fully live. The only problem with this
is that we also have another system that will react badly (to put it
mildly) to the state of all its connections disappearing when we do
this. This system gets an hour's downtime at 2am, so the ideal time to
clear the xlates on the PIX seems obvious.
The only problem is that, although I'm mainly nocturnal, I really can
think of better things to be doing at 2am than sitting in our server
room. Does anyone know of a way to schedule commands to run at a
specified time on a PIX 6.3 firewall?
Ta,
IR.
*********************************
Ian Rarity
Technical Engineer
ESPC (UK) Ltd.
T: (44)131 624 8000
F: (44)131 624 8509
http://www.espc.com ( http://www.espc.com/ )
http://onthefirewall.blogspot.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: Re: [fw-wiz] pix/proxy issue
- Next by Date: Re: [fw-wiz] Scheduling PIX commands
- Previous by thread: Re: [fw-wiz] Scheduling PIX commands
- Next by thread: [fw-wiz] Cisco PIX End of Sale Announcement Posted
- Index(es):
Relevant Pages
|
