DreezSecurityBlogWe want to know who is typing which commands into our firewalls. Because we are using RADIUS auth, all users are “non_local” users in the Linus audit facility…and it was a big beast I did not want to dink with. So I wrote my own 1 liner.
AND because we are using GAIA, the syslog file kept getting overwritten on every reboot.
THIS
Solves both problems.
Audit ON!
dreez
We have a fairly huge dynamic routing infrastructure and the new ‘routed’ daemon was pretty flaky for a long time, since its release April 2013. Last week we finally got a version routed-0.1-cp986005013.i386.rpm that was finally stable and could handle our environment. So I can finally say its time to move dynamic routing to the firewall and you don’t have to worry about crashing your environment when routed suddenly stops working or fails to come up.
Having said that, the management of routed is still weak.
1) No zero downtime upgrades you have to copy routes between members and then delete them
2)Stop/Start clustering and routing separately
3)Debugging is pretty primitive Linux level skills required
Route ON!
dreez
I’m on the edge of this so unfortunately don’t know the details, but my buddy will bring me up on the details as it develops. I have a 1/2 blog created on the details and am trying to bring it up to date.
We are a huge AD/Identity Awareness/Captive Portal shop and so we obviously have been breaking it on many fronts. Specifically, it was SmartDashboard picker slow/timeouts, dogging down WAN lines with tons of AD traffic, and most importantly could not work with AD/LDAP groups, not supporting multiple LDAP AU per AD domain (sk92782), having to adjust priorities on hundreds of AU’s over hundreds of firewalls….I’m not sure of all the other issues.
Basically, it didn’t scale.
CP has been working on it for a year and last week huge a breakthrough. Many of the above issues were fixed in the patches they issued to us. Yeah, there are still problems but it is nice to see things finally working after a year of pushing a boulder uphill. These patches were hot from development so not sure they are up for GA yet.
Anyways if your IA is a leaking rowboat note that a fix is on the way and its not your problem. CP knows about it and is working the issue. But you will have to push hard to get to the right people so start pushing.
IA out!
dreez
Probably 1000 of these, and yes it is a hack but I like learning new tools.
ofiller/odumper is a great tool for large enterprises that need to extract/enter LARGE number IP address and rules into MDS/SmartCenter in an automated way fashion. odumper extracts data into CSV, you can edit and import via ofiller from CSV. This could be especially cool if you want to upgrade/import and get rid of a lot of crap by editing CSV’s and not through the GUI.
So do you have a list of IPs that have to be inputted into MDS or SmartCenter? Well the hump is getting that list of IP addresses into ofiller format.
Here is a VBscript/Excel macro to do just that.
1) INPUT: List of IPs in CSV
2) Run this VB script inside of Excel
3) Voila!!! The output. Ofiller formatted file
4) Input into ofiller
./ofiller.lin -f ~/mds_import.csv -i csv -o dbedit_input.txt
5) Input into MDS (or smartcenter)
mdsenv
dbedit -f dbedit_input.txt
NOTE: R80 will have this built in, but ofiller will still be have a warm place in my heart.
Ofiller OUT,
dreez
UPDATE: 12/1/14: mds_HOTFIX_GYPSY_HF_BASE_748 is the fix and it works in R77.10
UPDATE: 11/13/14: After much hub-bub, this is fixed in R77.30 and they are backporting it to R77.10/20? Will let you know.
With X00 firewalls across X0 domains we live and die by SmartLog. R77.10 SmartLog is awesome, its fast, finally stable. It alone is sufficient reason to chuck any other firewall product.
Except!!!
They changed the way permissions work in R77.10. Now only Domain Super-users and MDS Super users can use MDS SmartLog. This takes my breath away. Our front-line domain managers (SOC, NOC, Audit, IPS, Security/Risk Management) use SmartLog for debugging not only firewall problems but network problems in general….across all domains. They are not interested what domain the problem is…they just want to know where it is in the enterprise. Domain Super users and MDS Super users only use SmartLog a couple times a week for escalated calls.
So WHY???? restrict permissions to an awesome market changing tool to people that only use it a couple times a week??
Ugh….
dreez
This is a dumb one on my part so learn from my mistakes.
On my MDS’s I use WebUI to schedule backups. I like to restore using command line so I can see when it blows up. Well, there are at least 5 backup and restore commands
So make sure you use the right restore with the right backup. I wound up using CLISH after 3 tries.
And make sure you test the integrity of your backups. Word from old and lesser dumb.
Backup OUT!
dreez
So you might have not noticed but logging HA is not quite the HA you think it is. About 10-20% of our 350 firewalls fail to HA and either just stop logging or log locally until we nudge them….or maybe we screwed something up.
Anyways….So how do you know which ones are not HA?
You don’t, until now. (OKAY it is a kludge but the best I know how)
Seems to me a $$$$$ gazillion dollar HA logging system should do HA. Probably fixed in R80.
Oh yeah, I’ve been using this in Cattools to nudge them:
cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”
cpwd_admin start -name FWD -path “$FWDIR/bin/fwd” -command “fwd”
Logging off
dreez
"The most difficult thing is the decision to act, the rest is merely tenacity." -Amelia Earhart
These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.
DreezSecurityBlog 