Configuration Management & Upgrades

2/12/2014 1

Course # 1150

Overview ▪ Exporting and Backing up the configuration

▪ Configuration Files ▪ Email - Automated ▪ Cloud – Automated ▪ USB – Automated ▪ Console ▪ Manual

▪ Email ▪ Download from firewall

▪ scripts ▪ Import Configurations

▪ Preserve Activation Codes ▪ Full Import ▪ Partial Import

▪ Editing XML ▪ Importing

▪ Updating Runtime ▪ Manual ▪ Online ▪ Special Considerations ▪ Slice Switching and Management ▪ Downgrades

GB-OS Configuration File

▪ 5.0 and above is in XML Format ▪ V4.0 and below is in binary format ▪ All Back up configuration file names

include ▪ <Product><versions><host_name><time_stamp> ▪ Example: GB-Ware_Unrestricted_v600_gb-ware-

qa_Live_2011-05-24_133917.xml ▪ Schema for the versions are located at

http://www.gta.com/support/documents/

Gobal Backup Options

▪ When enabled will back up the configuration after each change. ▪ Backup using

▪ Email ▪ Cloud ▪ USB

▪ Allows back up to be made in ▪ XML – plain text ▪ ZIP - compressed ▪ 7ZIP – compressed and encrypted

▪ Maximum Back Up Count - Applies USB and Cloud Only) ▪ Number of backups allowed ▪ Once limit is reached the oldest back up is removed. ▪ Count

▪ 50 ▪ 100

▪ Cloud and USB back up Licenses ▪ Tied to current maintenance and support. ▪ Console restore is always available

Automated BackupEmail

▪ Send Email when configuration is changed or updated in live mode

▪ Send in configured format from Global options ▪ Source email from no-reply@<Firewall host

name> ▪ Host name is from [Configure -> Network -> Interfaces ->

Settings]

Logs Email back up

▪ Feb 14 14:22:35 pri=5 msg="XMLverify: Automatic configuration backup sent via email" type=mgmt

▪ Feb 14 14:22:35 pri=6 msg="XMLverify: Emailed automatic configuration backup to support@gta.com" type=mgmt

Automated BackupCloud

▪ Available in v6.0.1 ▪ Uses publically available cloud back up services. ▪ Requires a current Support or Maintenance contract

to Restore or Back up. ▪ Restores to Test Mode only. ▪ Requires an account with the Cloud back up

service. ▪ Dropbox ▪ Box.net

Using Cloud Back Up

https://www.dropbox.com/register

Create a an account

Using Cloud Back UpAuthorize

▪ Authorize the firewall to use the account in [Configure -> Configuration -> Backup] ▪ Click on Authorize ▪ Dialog will display for the

authorization. ▪ If the Authorization web page does

not take your browser focus look for a new window.

Authorizing

Successful login will create the token require to authorize the firewall and automatically store it.

Using Cloud Back Up Login▪ Once Authorized - Login to the service via the [Configure ->

Configuration -> Backup] ▪ Displays

▪ Available storage ▪ Files that can be

▪ Restored ▪ downloaded

▪ File Size

Automated BackupUSB

▪ Available in v6.0.1 ▪ Allows Restore and Backup with current

Support or Maintenance Contract. ▪ Download locally backed up configurations. ▪ Restores to Test Mode. ▪ Requires FAT32 or NTFS formatted USB drive.

Backup Now

▪ Allows an Administrator to immediately back up the configuration.

▪ Requires current support or maintenance.

USB & Cloud Restore

▪ Select back up ▪ Click upload icon ▪ Restore to test ▪ Change Test Mode and

verify configuration then apply.

Console Backup & Restore

▪ Backup via console requires a current Support or Maintenance contact.

▪ Restore allowed via console without a contract.

Importing on Console ▪ Prompts for the back up password

if configured ▪ Console restore checks to see if

activation codes on live system match the configuration. If not a warning dialog will display.

▪ Restores to Live Only ▪ Reboot required after restore.

Making files Availble for Import by USB or Cloud

▪ Must be in a directory on the USB or Cloud of ▪ /GTA/<fw_serial_number>/backups !!!

▪ The firewall searches for a directory that contains it’s serial number.

▪ Can navigate to other directories.

Notes on USB Backup

▪ Test any USB device on target firewall by rebooting the firewall with USB device attached.

▪ Problem ▪ If USB device has boot able partition it could

cause the system to not boot properly. The boot able flag has to be removed.

▪ Some USB devices can cause problems. If firewall fails boot with USB device attached please contact support with as much details on device as possible.

Trouble Shooting USB & Cloud Backup & Restore

▪ Restore a configuration from a higher version. ▪ Is hit or miss and MAY work. Most of the attempts fail or result

in a error. ▪ The higher version configuration if it imports may have wrong

codes. ▪ USB Drive not connected or identified -

▪ Aug 24 10:08:25 pri=3 msg="XMLverify: Unable to backup configuration to USB device" type=mgmt

▪ Aug 24 10:08:25 pri=3 msg="XMLverify: Unable to mount USB device" type=mgmt

▪ USB Device Full – ▪ Aug 24 15:54:19 pri=3 msg="WWWadmin: Unable to copy

configuration backup to USB device. No space left on device" type=mgmt user="fwadmin" src=10.10.1.163 srcport=60695 dst=10.10.1.80 dstport=443 duration=86

▪ Cannot back up – read only drive ▪ Aug 29 12:51:05 pri=4 msg="WWWadmin: Mounted MSDOS

filesystem as readonly" type=mgmt user="fwadmin" src=10.10.1.163 srcport=51064 dst=10.10.1.80 dstport=443 duration=43

Trouble Shooting ▪ Firewall displays following error –

!!!

▪ GB-250 Rev A’s do not support USB back up ▪ If not a GB-250 Rev A confirm the hardware USB ports are working and enabled.

▪ Firewall shows as not licensed for cloud back up. ▪ Confirm DNS is configured. ▪ Confirm firewall support / maintenance contract is up to date.

▪ Check Log File for errors– ▪ Aug 15 09:37:52 pri=3 msg="WWWadmin: Unable to delete file 'GB-Ware_v601_gb-ware_Live_2011-08-15_092922_EDT.7z'

from cloud" type=mgmt user="fwadmin" src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 ▪ Aug 15 09:37:52 pri=4 msg="WWWadmin: Unable to open old configuration. No error: 0" type=mgmt user="fwadmin"

src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 ▪ Aug 15 09:37:52 pri=3 msg="WWWadmin: Unable to uncompress input file; No such file or directory" type=mgmt user="fwadmin"

src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 ▪ Aug 15 09:37:52 pri=4 msg="WWWadmin: Program '7za' exited with code 2." type=mgmt user="fwadmin" src=10.10.1.223

srcport=49966 dst=10.10.1.80 dstport=443 duration=197 ▪ Error that password configured to use for files is not correct.

Manual Back Up

▪ Two Sections where XML can be downloaded. ▪ [Configure -> Configuration -> Import/Export] ▪ No Firewall State Information

▪ [Monitor -> Reporting -> Configuration] ▪ Includes Firewall State Information

Manual Back UP[Configure -> Configuration -> Import/Export]

▪ Back up live or test mode. ▪ Options ▪ XML ▪ 7-ZIP ▪ ZIP

Manual Back UP[Monitor -> Reporting -> Configuration]

▪ [Using Email ▪ Subject ▪ Comments ▪ Attachments ▪ Mode ▪ Format

▪ 7-ZIP ▪ ZIP ▪ HTMP

▪ 7-ZIP or ZIP ▪ 7-ZIP: encrypted and

password protected ▪ ZIP just password protected ▪ Attachments

Backing the Up Firewall Configuration Attachments

Attachments give a snap shot of the system. Very useful in trouble shooting. Usually in support we would like all this information even if may not be relevant to a case.

Using Scripts Back Up Firewall▪ The Live mode configuration can

also be exported by appending /config to the firewall’s URL and placing it in a script.

▪ For example, to download the firewall’s configuration with a user ID of fwadmin, a password of fwadmin, and host name of firewall.example.com, run the following script: ▪ curl -k -o config.xml http(s)://

fwadmin:fwadmin@firewall.example.com/config

▪ If you have special characters such as $ you may need to place ‘ around them. Example ▪ curl -k -o config.xml https://

fwadmin:’$fwadmin’@firewall.example.com/config

Importing Configurations Files

▪ Import only Allowed into Test Mode ▪ Full or Partial Imports are possible ▪ Allows for import of older configuration files in XML or

binary format. Binary format must be over v3.7 ▪ GB-OS converts all configuration older than target system

to current XML format. ▪ Preserve Section Options for Activation Codes allows the

GB-OS to keep original system codes and serial numbers when importing another firewalls configuration.

▪ V6.0.1 – Allows import of Zipped and Encrypted files ▪ 7Zip ▪ Zip ▪ bzip2

Full Import

▪ Select Test Mode ▪ Browse where the file is located and click ok ▪ Click on Import ▪ When importing the firewall will prompt if you wish to change

to test mode. ▪ Click ok move Test mode ▪ Cancel to stay in live.

Partial Import

!▪ In order to import a partial configuration.

▪ Copy Current live configuration to test mode ▪ [Configure -> Configuration -> Import/Export] select Test mode and

browse to where the configuration is downloaded. ▪ Check the Partial Update Box. ▪ Upload.

Editing XML ▪ XML files imported to a GTA firewall must have the correct beginning and ending elements and be well formed.

▪ Beginning: <GB-OS version="6.0.6“> ▪ Ending: </GB-OS>

▪ Entire sections must be imported. You cannot import just an element. When you import an Tunnel or Address object you import all address objects or tunnels. Below correctly formatted XML file. For a tunnel. !

<GB-OS version="6.0.6"> <InboundTunnelList updatedTime="2009-04-08 16:14:06 UTC" updatedByUser="fwadmin"

updatedByIP="10.10.1.76" > <InboundTunnel> <autoPolicy/> <synCookies/> <useIPS/> <desc>Allow Http</desc> <service type="object">HTTP</service> <source type="object">EXTERNAL</source> <destination type="ip">192.168.71.1</destination> <policySource type="object">ANY_IP</policySource> <timeGroupName type="object">ALWAYS</timeGroupName> <group>ALL_USERS</group> <trafficPolicyName></trafficPolicyName> <trafficWeight>5</trafficWeight> </InboundTunnel> </InboundTunnelList> </GB-OS> !

▪ Incorrectly formatted XML will be rejected. ▪ Some Tools have the ability to check the online schema

Editing XML

Runtime Updates▪ Manual or Online ▪ Online Requires the firewall to be registered ▪ Access to als.gta.com using SSL

▪ Major Releases require a Maintenance or Support Contract

▪ Minor Patch release are free for the firewall on the version ▪ Minor patch is v5.4.0 to 5.4.1. ▪ Major update is v5.3.X to 5.4 or 5.4 to 6.0.

Runtime Updates

Update – Runtime Updates ▪ Automatic Updates

▪ Firewall will automatically check (Scheduled Update Check) for updates and send a notification of an available update either via email or SMS.

▪ Check now option allows an administrator to have firewall check immediately for an update.

▪ Download – tells firewall to download latest update.

▪ Install – Applies latest update to firewall. And reboots the firewall.

▪ Update will include all required codes for target version.

▪ Manual Updates - Advanced option ▪ Must be download from GTA Support

Center ▪ Codes for major versions will need to

be manually applied to firewall. ▪ Runtime file must be uploaded to

firewall.

What happens when firewall Updates Runtime?

▪ Alternate Runtme slice is updated with new GB-OS.

▪ Configuration on current bootable slice is copied to alternate slice and update.

▪ Alternate Slice is set as bootable slice

▪ Firewall reboots to new slice.

▪ Original Configuration and runtime prior to upgrade is preserved.

Special Upgrade Considerations▪ All Firewalls updating to GB-OS version 5.3 and above must be

on GB-OS 5.2.0 or higher before upgrading. ▪ All Firewalls updating to GB-OS v6.1.0 or later must be on

version 6.0.0 or later. ▪ Some updates will reformat the compact flash to better utilize

space. However, this has the effect of updating both runtime slices to same version.

▪ GB-250 Rev B Firewalls should be upgrade from slice 2 when upgrading to GB-OS 5.3.

▪ GB-250 Rev B Firewall need to have a Bios revision of .99h or later.

▪ List of all Known upgrade issues are in the Upgrade Guides Located at - http://www.gta.com/support/upgrade/

How can I identify the version and runtime slice?

How can I identify the BIOS version on my GB-250?

▪ Examine the hardware report for the BIOS version The Hardware Report is located in firewall web administration interface in Monitor -> System -> Hardware Section.

▪ Example:BIOS: PC Engines ALIX.2 v0.99h tinyBIOS V1.4a (C)1997-2007

▪ You can also check the BIOS by connecting on the console interface and rebooting the firewall. The first line displayed should be the current BIOS revision.

Runtime Slice ManagementReverting to Previous Runtimes/Slice

▪ Firewall GB-OS has two runtime Slices ▪ Current Slice – runtime slice firewall is

booting from. ▪ Alternate Slice – previous OS and

configuration. ▪ If the alternate slice has no version. This

indicates it is on version 3.7 or is possibly corrupt.

▪ Runtime slice options allows a Administrator to revert to their previous runtime and configuration. This is mainly used if a firewall is updated and an administrator finds an issue with the latest release requiring reversion to the previous version and configuration to resolve.

▪ Current Slice is displayed in ▪ Overview ▪ Check For Updates Section

Downgrading a firewallDowngrading a firewall from one major version to another is NOT by GTA recommended nor supported by GTA. When possible a firewall administrator should use the runtime slice switching option. For more information on runtime slice switching please see the GB-OS Users Guide or GB-OS Console Guide located at https://www.gta.com/support/documents/. Older codes are not always available for some firewalls. GTA will provide these on a case by case basis and the firewall must have support contracts.

Downgrading a firewall is performed in two steps; 1. Upload next lowest major runtime. For example. If the current release is version 5.3.1. And the administrator needs to down grade to version 5.1.4. They will need to first go to 5.2.X then to 5.1.4. The manual upload runtime option is located in following sections: • v5.1 through v6.0 – Configure -> Runtime -> Update -> Advanced. • v5.0 – Configuration -> Runtime -> Update -> Advanced. • v4.0 – Configuration -> Import /Export • Once a runtime has been uploaded to the firewall the update will need to be installed on latest’s versions. It is important to note that in older versions the upload runtime and installation are performed together.

Downgrading a firewall

2. After downgrade has been installed the firewall will reboot. Due to data structure changes the current firewall configuration will need to be reset to factory defaults. Resetting of the firewall to defaults state will need to be performed via the console Interface. It is best to have the console attached while booting. Once unit completes booting a message will display to reset the unit. Type Yes at the prompt.

Downgrading a firewall

After resetting unit the firewall will reboot and may now be reconfigured. It is necessary to repeat each downgrade for each version. - Downgrade path from current GB-OS to older versions is below. ▪ 6.1 -> 6.0 ▪ Reset to defaults and reconfigure via console to downgrade again ▪ 6.0 -> 5.4

▪ Reset to defaults and reconfigure via console to downgrade again ▪ 5.4 -> 5.3

▪ Reset to defaults and reconfigure via console to downgrade again ▪ v5.3 -> v5.2

▪ - Reset to defaults and reconfigure via console to downgrade again. ▪ v5.2 -> v5.1

▪ Reset to defaults and reconfigure via console to downgrade again. ▪ v5.1 -> v5.0

▪ Reset to defaults and reconfigure to downgrade again. ▪ v5.0 -> v4.0

▪ Reset to defaults and reconfigure via console to downgrade again. ▪ v4.0 -> v3.7.3

▪ Reset to defaults and reconfigure via console to administer the firewall.

Versions

Firewall First VersionGB-250 Rev A 3.6GB-250 Rev B 5.1GB-800 3.7.1GB-820 5.4.0GB-2000/e 3.6GB-2000x 3.7.2GB-2100 5.4.0GB-2500 5.4.0GB-3000 4.0.1

Syslog ▪ Manual Cloud & USB backup

▪ Aug 24 09:30:14 pri=5 msg="WWWadmin: Manual backup to cloud service" type=mgmt user="fwadmin" src=10.10.1.163 srcport=50251 dst=10.10.1.80 dstport=443 duration=28

▪ Aug 24 09:29:49 pri=5 msg="WWWadmin: Manual backup to USB device" type=mgmt user="fwadmin" src=10.10.1.163 srcport=50250 dst=10.10.1.80 dstport=443 duration=15

▪ USB Drive not connected or nor identified - ▪ Aug 24 10:08:25 pri=3 msg="XMLverify: Unable to backup configuration to USB device" type=mgmt ▪ Aug 24 10:08:25 pri=3 msg="XMLverify: Unable to mount USB device" type=mgmt

▪ USB Drive Identified ▪ Aug 24 10:25:38 pri=5 msg="kernel: da0: 125MB (256000 512 byte sectors: 8H 32S/T 1000C)" type=mgmt ▪ Aug 24 10:25:38 pri=5 msg="kernel: da0: 40.000MB/s transfers" type=mgmt ▪ Aug 24 10:25:38 pri=5 msg="kernel: da0: <WD Flash Disk 2.00> Removable Direct Access SCSI-2 device " type=mgmt ▪ Aug 24 10:25:38 pri=5 msg="kernel: da0 at umass-sim0 bus 0 scbus0 target 0 lun 0" type=mgmt ▪ Aug 24 10:25:37 pri=5 msg="kernel: umass0: <USB Flash Disk, class 0/0, rev 2.00/2.00, addr 2> on usbus4" type=mgmt ▪ Aug 24 10:25:37 pri=5 msg="kernel: ugen4.2: <USB> at usbus4" type=mgmt

▪ Drive Full ▪ Aug 24 15:54:19 pri=3 msg="WWWadmin: Unable to copy configuration backup to USB device. No space left on device" type=mgmt user="fwadmin"

src=10.10.1.163 srcport=60695 dst=10.10.1.80 dstport=443 duration=86 ▪ Exported Configuration file

▪ Aug 24 10:27:59 pri=5 msg="WWWadmin: Exported configuration" type=mgmt user="fwadmin" src=10.10.1.163 srcport=50652 dst=192.168.71.1 dstport=443 duration=7

▪ Email Configuration ▪ Aug 24 10:30:20 pri=6 msg="WWWadmin: Emailed configuration to support@gta.com" type=mgmt user="fwadmin" src=10.10.1.163 srcport=50657

dst=10.10.1.80 dstport=443 duration=23 ▪ Automatic Backup

▪ Aug 24 15:43:32 pri=5 msg="XMLverify: Automatic configuration backup sent to cloud service" type=mgmt ▪ Aug 24 15:43:15 pri=5 msg="XMLverify: Automatic configuration backup sent to USB device" type=mgmt

Audit Events ▪ Manual USB Backup

▪ 2011-08-24 08:49:35 Live Manual backup to USB device fwadmin 192.168.71.1

▪ Manual Cloud Back up ▪ 2011-08-24 08:47:57 Live Manual backup to cloud service fwadmin 192.168.71.1

▪ Administrator download configuration ▪ 2011-08-24 10:27:59 Live Exported configuration fwadmin 192.168.71.1

▪ Email configuration to address ▪ 2011-08-24 10:30:20 Live Emailed configuration to support@gta.com fwadmin 192.168.71.1

▪ Automatic Backup ▪ 2011-08-24 15:43:32 Live Automatic configuration backup sent to cloud service ▪ 2011-08-24 15:43:15 Live Automatic configuration backup sent to USB device

Known Issues

▪ NFTS – ▪ once written to by the firewall the USB drive may be

non readable in Windows. Corrected in v6.0.4 when released.

▪ Work around to get the configuration is to use FreeBSD, Linux or MAC.

▪ Dropbox ▪ Retiring version 0 on December 1st, 2012. After

December 1st, the V0 API will be shut down and applications using it will no longer be able to make calls.

▪ Firewalls must update to v6.0.6 or later prior to December 1st, 2012.

References

▪ Dropbox - http://www.dropbox.com/ ▪ Box - http://box.net/ ▪ GTA Online Documentation - http://

www.gta.com/support/documents/ ▪ GB-250 Bios Update Information - http://

online.gta.com/gb-os/bios-update/Home.html

Global Technology Associates, Inc.

Support Email: support@gta.com Support Phone: 1.407.482.6925 Sales Email: sales@gta.com Sales Phone: 1.407.380.0220 or 1.800.775.4482 Normal Hours: 0830-1900 EST U.S. Free User Support: ▫ http://forum.gta.com ▫ Mailing List: gb-users@gta.com Facebook: https://www.facebook.com/GTAFirewalls Twitter: @gtafirewalls GTA Partners: https://www.gta.com/sales/locatorWorld/

2/12/2014 46