topic SMB appliances regular updates and policy pulls in Spark Firewall (SMB)

SMB appliances regular updates and policy pulls

G_W_Albrecht — Tue, 02 Jul 2019 13:23:37 GMT

The big difference when comparing centrally managed SMB to a standard CP Gateway is that we have no policy install, but rather a policy pull from the device - very appropriate for DAIP configurations ! The SMB GW asks the Management every 5 minutes if the policy has changed - see the corresponding entries in /var/log/log/sfwd.elg:

[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] Fetching Security Policy from '172.27.39.198'
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] Local Security Policy is Up-To-Date.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] The Security Policy was not installed because it is the same as the Policy already on the Module.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] Fetching Threat Prevention Policy from '172.27.39.198'
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] Local Threat Prevention Policy is Up-To-Date.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] The Threat Prevention Policy was not installed because it is the same as the Policy already on the Module.

Firmware upgrade check can also be found in sfwd.elg - it is logged additionally also in

/var/log/log/check_available_firmware.elg:

[check_available_firmware 5451 1996578816]@zwelfhundertr[14 Mar 13:35:53] check_available_firmware: Thu Mar 14 13:35:53 2019
[check_available_firmware 6332 2011901952]@zwelfhundertr[14 Mar 16:11:28] check_available_firmware: Thu Mar 14 16:11:28 2019

Licenses are synced with UserCenter every hour - see /var/log/log/uc_activation.elg:

[uc_activation 7732 1998979072]@zwelfhundertr[19 Mar 5:22:07] uc_activation: Tue Mar 19 05:22:07 2019

main: setting do_refresh
UCACT_write_blades: g_n_items=12 g_lic_exp=null pnp_stat=TP_EXPIRED_LIC
UCACT_write_blades: lic_exist=1 lic_exp=Feb 4, 2020

[uc_activation 7944 2006491136]@zwelfhundertr[19 Mar 6:22:03] uc_activation: Tue Mar 19 06:22:03 2019

main: setting do_refresh
UCACT_write_blades: g_n_items=12 g_lic_exp=null pnp_stat=TP_EXPIRED_LIC
UCACT_write_blades: lic_exist=1 lic_exp=Feb 4, 2020

TED wants all 12 hours his License refreshment, see /var/log/log/ted.elg:

[ 12673 2002706432][16 Mar 2:13:54] [TE_TRACE]: Starting licenses refreshment
[ 12673 2002706432][16 Mar 14:13:54] [TE_TRACE]: Starting licenses refreshment
[ 12673 2002706432][17 Mar 2:13:54] [TE_TRACE]: Starting licenses refreshment

So we can see that there is really a lot of work to do even for the small ones 😉

Also see this list SMB documents for more.

Re: SMB appliances regular updates and policy pulls

Maarten_Sjouw — Tue, 19 Mar 2019 12:11:59 GMT

Gunther,
Do you know if the fw fetch on SMB can be forced? We recently had a 1100 gateway that just did not want to update it's policy and finally after a reboot and push on a fixed IP, I was able to replace the policy, it just did not update before that.

Re: SMB appliances regular updates and policy pulls

G_W_Albrecht — Tue, 19 Mar 2019 13:38:35 GMT

Yes, see sk117473: Manual policy fetch on SMB device

# fw -d fetch

Re: SMB appliances regular updates and policy pulls

Maarten_Sjouw — Tue, 19 Mar 2019 13:51:31 GMT

Nope, that is a debug, but still uses the local policy, does not force a fetch from management.

Re: SMB appliances regular updates and policy pulls

G_W_Albrecht — Tue, 19 Mar 2019 14:48:22 GMT

Yes, it is debug for much more fun 😉

[Expert@zwelfhundertr]# fw fetch
Fetching Security Policy from '172.27.39.198'

Local Security Policy is Up-To-Date.

Installing Security Policy...

Installing Security Policy Succeeded.
Done.
[Expert@zwelfhundertr]#

Also possible to use as fw fetch <ip address of mgmt>. According to sk119332, Security policy changes must be pushed to the Security Gateway before they will be implemented by an "fw fetch" command. The "fw fetch" compares the compiled policy on the Security Management server with the latest policy on the Security Gateway.

Re: SMB appliances regular updates and policy pulls

Maarten_Sjouw — Tue, 19 Mar 2019 15:22:48 GMT

Gunther,

I am aware of how it should work, but in some cases you did make changes and the gateway (in our case) just kept saying the local was up to date and the GUI showed a policy installed at 10:30 while we made changes at 10:45 and pushed policy, log was flowing, but at 11:00 it was still showing that the 10:30 policy was loaded.
Doing the fw fetch also said local security policy is up to date.
Hence I wanted to see if there is a way to Force the fetch and discard the local copy.

Re: SMB appliances regular updates and policy pulls

G_W_Albrecht — Wed, 20 Mar 2019 07:50:25 GMT

Here you should involve TAC - policy install is done to make the GW use the new rules, so such a behaviour is a bug !

Re: SMB appliances regular updates and policy pulls

G_W_Albrecht — Wed, 20 Mar 2019 08:35:44 GMT

Please also consult sk119332 !

Re: SMB appliances regular updates and policy pulls

G_W_Albrecht — Wed, 20 Mar 2019 09:03:06 GMT

What i also know is the clish variant: # fetch policy mgmt-ipv4-address x.x.x.x#

But i fear that also here only the compiled policy from SMS is checked and local policy not discarded ! But of course we have a method to achive what you want:

- switch Security Management to local mode
- switch back to central mamagement
- re-establish SIC with the SMS
- Security policy is loded from SMS and installed