Getting updates from the internet without internet access?
byreaper02-02-201704:47 AM - edited 05-11-201707:47 AM
Does this scenario sound familiar:
You're setting up a new firewall in your datacenter and you're doing your due diligence: configuring your management interface to the right speed and duplex settings, assigning a management IP, preparing the appropriate DNS settings, adding NTP servers so the system runs on standardized time and then comes the time to download the latest software image or grab the latest content package and the connection fails.
Suddenly you realize the management interface is located inside an Out Of Band network with no access to the outside world.
This is the moment when you get out your trusty "black ops" USB stick, find a way around the network restrictions with some creative cabling or simply unrack the whole thing and drag it back to your desk to continue the prep from there.
Luckily there's a cool feature you can leverage to get certain services to use a dataplane interface, connected to the update/remediation/guest network or even directly to the internet called Service Routes
Normally any service used by the management plane will use the dedicated management port and it's own default gateway to reach a resource. For example a DNS lookup to resolve the updates server and the connection to retrieve the content packages. The dataplane interfaces and Virtual Router never come into play for any connections made by the system.
A service route will direct the services you specify over the backplane fabric onto a socket on a dataplane interface of your choosing.
Under the Device tab > Setup > Services > Service Route Configuration you can opt to customize the service routes and then pick any service you need and change it to a different source.
You can even change the default source for a destination IP address rather than a specific service, in case multiple services (DNS, NTP, ...) are run on the same host.
Just remember to take security policies and NAT rules into account, as now the source IP will be that of a dataplane interface and security policies will be applied to it depending on the source and destination zone.
With this cool little trick up your sleeve the black-ops USB stick should be a thing of the past :)
Feel free to ping myself or ask the community at large any questions you might have in our Discussion Forum
There's always someone out there that stubbed their toe on exactly the same obstacle you're facing ;)