Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Sapphire

SMB appliances regular updates and policy pulls

Jump to solution

The big difference when comparing centrally managed SMB to a standard CP Gateway is that we have no policy install, but rather a policy pull from the device - very appropriate for DAIP configurations ! The SMB GW asks the Management every 5 minutes if the policy has changed - see the corresponding entries in /var/log/log/sfwd.elg:

[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] Fetching Security Policy from '172.27.39.198'
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] Local Security Policy is Up-To-Date.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:06:59] The Security Policy was not installed because it is the same as the Policy already on the Module.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] Fetching Threat Prevention Policy from '172.27.39.198'
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] Local Threat Prevention Policy is Up-To-Date.
[sfwd 4538 2000560128]@zwelfhundertr[19 Mar 10:07:24] The Threat Prevention Policy was not installed because it is the same as the Policy already on the Module.

Firmware upgrade check can also be found in sfwd.elg - it is logged additionally also in

/var/log/log/check_available_firmware.elg:

[check_available_firmware 5451 1996578816]@zwelfhundertr[14 Mar 13:35:53] check_available_firmware: Thu Mar 14 13:35:53 2019
[check_available_firmware 6332 2011901952]@zwelfhundertr[14 Mar 16:11:28] check_available_firmware: Thu Mar 14 16:11:28 2019

Licenses are synced with UserCenter every hour - see /var/log/log/uc_activation.elg:

[uc_activation 7732 1998979072]@zwelfhundertr[19 Mar 5:22:07] uc_activation: Tue Mar 19 05:22:07 2019

main: setting do_refresh
UCACT_write_blades: g_n_items=12 g_lic_exp=null pnp_stat=TP_EXPIRED_LIC
UCACT_write_blades: lic_exist=1 lic_exp=Feb 4, 2020

[uc_activation 7944 2006491136]@zwelfhundertr[19 Mar 6:22:03] uc_activation: Tue Mar 19 06:22:03 2019

main: setting do_refresh
UCACT_write_blades: g_n_items=12 g_lic_exp=null pnp_stat=TP_EXPIRED_LIC
UCACT_write_blades: lic_exist=1 lic_exp=Feb 4, 2020

TED wants all 12 hours his License refreshment, see /var/log/log/ted.elg:

[ 12673 2002706432][16 Mar 2:13:54] [TE_TRACE]: Starting licenses refreshment
[ 12673 2002706432][16 Mar 14:13:54] [TE_TRACE]: Starting licenses refreshment
[ 12673 2002706432][17 Mar 2:13:54] [TE_TRACE]: Starting licenses refreshment

So we can see that there is really a lot of work to do even for the small ones 😉

SMB_Policy.png

Also see this list SMB documents for more. 

Tags (1)
1 Solution

Accepted Solutions
Highlighted
Sapphire

What i also know is the clish variant: # fetch policy mgmt-ipv4-address x.x.x.x#

But i fear that also here only the compiled policy from SMS is checked and local policy not discarded ! But of course we have a method to achive what you want:

- switch Security Management to local mode
- switch back to central mamagement
- re-establish SIC with the SMS
- Security policy is loded from SMS and installed

View solution in original post

0 Kudos
8 Replies
Highlighted
Gunther,
Do you know if the fw fetch on SMB can be forced? We recently had a 1100 gateway that just did not want to update it's policy and finally after a reboot and push on a fixed IP, I was able to replace the policy, it just did not update before that.
Regards, Maarten
Highlighted
Sapphire

Yes, see sk117473: Manual policy fetch on SMB device

# fw -d fetch

Highlighted
Nope, that is a debug, but still uses the local policy, does not force a fetch from management.
Regards, Maarten
Highlighted
Sapphire

Yes, it is debug for much more fun 😉

[Expert@zwelfhundertr]# fw fetch
Fetching Security Policy from '172.27.39.198'

Local Security Policy is Up-To-Date.

Installing Security Policy...

Installing Security Policy Succeeded.
Done.
[Expert@zwelfhundertr]#

Also possible to use as fw fetch <ip address of mgmt>. According to sk119332, Security policy changes must be pushed to the Security Gateway before they will be implemented by an "fw fetch" command. The "fw fetch" compares the compiled policy on the Security Management server with the latest policy on the Security Gateway.

Highlighted
Gunther,

I am aware of how it should work, but in some cases you did make changes and the gateway (in our case) just kept saying the local was up to date and the GUI showed a policy installed at 10:30 while we made changes at 10:45 and pushed policy, log was flowing, but at 11:00 it was still showing that the 10:30 policy was loaded.
Doing the fw fetch also said local security policy is up to date.
Hence I wanted to see if there is a way to Force the fetch and discard the local copy.
Regards, Maarten
Highlighted
Sapphire
Here you should involve TAC - policy install is done to make the GW use the new rules, so such a behaviour is a bug !
Highlighted
Sapphire
Please also consult sk119332 !
Highlighted
Sapphire

What i also know is the clish variant: # fetch policy mgmt-ipv4-address x.x.x.x#

But i fear that also here only the compiled policy from SMS is checked and local policy not discarded ! But of course we have a method to achive what you want:

- switch Security Management to local mode
- switch back to central mamagement
- re-establish SIC with the SMS
- Security policy is loded from SMS and installed

View solution in original post

0 Kudos