Cisco ASA Firewall Cluster Member Replacement

So one of your firewalls in your highly available cluster died. It happens. It’s not your fault. But, you have to put humpty dumpty back together again. Do it the wrong way, and you can erase your configuration and bring the cluster down! Prepare for Success Backup current configuration:  Use the more system:running-config command b.      Certificates [...]

Security Updates: July 10, 2017

Check Point TCP start timer is default Drop out-of-state ICMP packets TCP session timeout is default Drop out-of-state UDP packets TCP end timeout is default Drop out-of-state TCP packets UDP session timeout is default Log out-of-state TCP drops ICMP session timeout is default Log out-of-state UDP drops Other protocol session timeout is default Log out-of-state [...]

STDIN (Standard In) on Steroids

CyberSana provides a secure bridge into your infrastructure. The ability to type the same commands on multiple devices is used for triage, incident response, upgrades, baselines and general information gathering. Regardless of the destination, you can now easily type a command to all devices or specific target groups or individual devices.

Cisco AnyConnect Windows Client Vulnerability

A big congrats to Felix Wilhelm for finding and sharing this information. The release from Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-anyconnect Time to Execute      

Infrastructure Inventory Report

In a heterogeneous environment, generating an inventory report can be an arduous and onerous task to complete.  Built-in CRMs and home grown solutions are still maintained manually and often out of date.  We feel the pain, the burn, and the burden.  Generate an up-to-date inventory of your infrastructure in minutes with CyberSana, export it for mangling and present [...]

Cisco ASA and Firepower 213 day uptime bug

Easy fixhttps://www.youtube.com/watch?v=KRG0UAbgBuc   Field Notice http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html Problem Description All Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) devices that run the affected software versions do not pass network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime. In the near term, immediately reboot the deployed security appliances in order [...]

CISCO FTP TRANSFER ERROR MESSAGE – NO MORE PROCESSES

When you want to transfer a file to flash on a Cisco firewall via FTP, you may run into an error message that does not help you down the path to enlightenment.  The error is: %Error reading ftp://xxxxx:xxxxx@x.x.x.x/cisco/asdm-751.bin (No more processes) This is caused by one of the following: File not on the server Incorrect [...]

CISCO X-SERIES – WHICH SERIAL NUMBER TO USE?

Had trouble understanding the different serial numbers on the newer X-series firewalls? You’re not alone. Cisco decided to have one serial number for the traditional chassis, the one that is on the outside of the physical box, revealed with you the typical show version command. This serial number is used to add to your contract [...]

STANDARDIZING ADMINISTRATOR SSH SESSION TIMEOUTS

Idle SSH session timeouts can put you in a grumpy mood.  Let’s standardize them across your devices.  We like 30 minutes as it seems to be a sweet spot for the brain to say, well, it has been 30 minutes since I’ve done anything, so it’s ok to be disconnected.   JUNIPER SCREENOS This one is [...]

ARE SITE TO SITE VPNS ON A CISCO FIREWALL MORE PERMISSIVE?

  If you set up site to site VPNs a lot, you will notice quirks between vendors.  OpenVPN doesn’t play nice when PFS is enabled.  The infamous Check Point supernetting issue.  Or this last one where Cisco firewalls request a less restrictive proxy-id to function when pairing with a Juniper ScreenOS policy-based VPN. Cisco Setup The phase 2 encryption domain of [...]