03-05-2013 09:46 AM
I am posing this as a question to the community, but in the latest release of app/content updates for PA, a new more focused signature was released. The new more focused signature was ms-wmi, and it was previously identified as msrpc.
So....What's the problem? The problem is that if I update content, I will essentially be blocking any ms-wmi that was previously identified as msrpc, because it was allowed under that previous signatures. This means that when I perform this update, I will be blocking ms-wmi traffic for some period of time [ how long does it take me to push policy, or craft new policy based on the new app signature of ms-wmi? ]. It seems troubling to me that this is the case, and there is no way around it. Has anyone else experienced this?
The only scenarios that I can think of to minimize the impact on the new app signatures are as follows [ in both scenarios, I am utilizing panorama ]:
Scenario 1 [ Panorama with HA pair ]:
1. Update content in Panorama to the latest release
2. In Panorama update all rules that currently have msrpc to allow ms-wmi as well.
3. Update the content/app-ids on the passive firewall.
4. Push new policy from panorama to the passive firewall.
5. Fail over to the passive firewall [ In theory this has policy which already allows the new more focused signature, so it should not disrupt current traffic or new connections ]
6. Update the content/app-ids on the firewall that is now in a passive state.
7. Push updated panorama config to the now passive firewall
8. Fail back to the originally active firewall.
Scenario 2 [ Just deal with the outage time ]:
1. Update content in panorama.
2. Add ms-wmi to all rules that are currently allowing msrpc.
3. Update content on the firewalls.
4. Quickly push policy from panorama as soon as the app/content update has succeeded. [ the ms-wmi traffic will be blocked during the period of time that the new policy is being pushed after the content update has succeeded. ]
Anyone have experience with this ?
03-29-2013 12:22 PM
If you properly identify (or re-categorize) your applications to include the updated signatures, I do not think you will much of an outage. On a PA-500 device, it takes about 2 minutes to push a policy down to the FW. With a faster FW, the commit process could be faster. However, in my testing with pushing down any type of policy, that it "takes effect" somewhere around the 75% mark of the commit. So in terms of outage.. that would be 30 secs or less. Not really an outage, more of a hiccup. Just my thoughts on this. Unless I misunderstood what you were trying to explain to me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!