Lately I have more and more customers who have an update problem to version 9.712-13. This only affects customers who operate a HA.
The update stops at version 9.712-12 for the master and the slave does not want to update any further.

how do I recognise the error

The dashboard reports a pending update

The master hangs during the update 9.712-12 and the slave has the status UP2DATE all the time.

And the HA log says that the slave cannot download the update 9.712-12.

How does the error occur?

Sophos had released the 9.712-13 update a few weeks ago and had withdrawn the 9.712-12 update. Now we have the problem with the master that it had already downloaded the 9.712-12 update. And 9.712-12 was then also installed during the update process to 9.712-13. For the Slave, however, the updates are not downloaded in advance. And because the 9.712-12 update was withdrawn, the slave can no longer install the update.

How to fix it?

You have 2 options.

You have to shut down the slave node and update the master to version 9.712-13. The slave is then booted up again and can then download the appropriate update from the Sophos file server. The problem here is that someone has to be present to start up the slave node again.

Or you can install the Udpate 9.712-13 on the master via CLI. During the update there is a downtime of about 5 minutes because the slave node does not take over the services from the master due to the UPDATE status.

This command installs any updates that Sophos has already downloaded. The HA status is ignored.

auisys.plx --verbose --level d

The result

After the reboot, the master installed the update 9.712-13. The slave is still set to UP2DATE. To speed up the update of the slave, it can be restarted. Otherwise it may take a few hours until the slave installs the update by itself. If the slave is rebooted manually, however, the database may be damaged. In this case, you simply have to restore it via CLI.

After rebooting the slave

Have a nice day!

The post Sophos UTM 9.712-13 HA update problem appeared first on Network Guy.

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-13215 [AWS] AWS Pay-As-You-Go license expires on C5/M5 instances
• NUTM-12872 [Basesystem] LibXML vulnerability – CVE-2021-3541
• NUTM-13227 [Basesystem] uriparser vulnerabilities
• NUTM-13376 [Basesystem] DHCP Relay not working after upgrade to 9.704
• NUTM-13496 [Basesystem] Openssl vulnerability – CVE-2022-1292
• NUTM-13504 [WAF] Enforce usage of valid Let’s Encrypt root CA

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.711005-712012.tgz.gpg

The post Sophos UTM 9.712-12 update released appeared first on Network Guy.

today I will talk about how you can automatic assignment tagged and untagged vlans for a aruba-ap.

create a device profile

In the device profile, you can configure the VLAN settings, Poe, jumbo frames, etc.
As example vlan 1502 untagged and vlan 224 tagged.

conf t
device-profile name "ArubaAPs"
   untagged-vlan 1502
   tagged-vlan 224
   allow-jumbo-frames
   exit

Assignment of the aruba APs to the created device profile

Now you must associate the aruba-aps to our new device profile “ArubaAPs”.

device-profile type "aruba-ap"
   associate "ArubaAPs"
   enable
   exit
write mem

test it

With “show device-profile status” you can see if it is running.

Have a nice day!

The post Aruba OS Switch automatic vlan assignment for aruba APs appeared first on Network Guy.

As usual, the release will be rolled out in phases:

• In phase 1 you can download the update package from our download server. Click the link and navigate to the folder UTM / v9 / up2date.
  • Up2date package – 9.710 to 9.711 : https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.710001-711005.tgz.gpg
  • md5sum is 8eede813596e78a58a52f492adcd52c4 : https://download.astaro.com/UTM/v9/up2date/ u2d-sys-9.710001-711005.tgz.gpg.md5
• During phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

This version addresses the recent highly-publicised vulnerability in OpenSSL, CVE-2022-0778. It also addresses a vulnerability recently discovered in Apache, CVE-2022-22720. Apache is used in WAF and for the WebAdmin and user interfaces.

The new Wireless Access Point firmware included with this release is essential for anyone adding new APX access points. Due to supply chain issues we have made some hardware changes in the most recent revisions of our APX models that require this latest firmware version 11.0.109. This version also addresses the recent certificate-parsing vulnerability discovered in OpenSSL so it is worth applying even if you don’t have any new access points.

Finally, you may notice a small change in the format of the firmware version when you’re using WebAdmin – we’ve added an identifier to make it clear whether you’re using the 32-bit or 64-bit version of the UTM operating system.

Other news

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-13334 [Basesystem] PowerShell / Putty – Default SSH client options result in failed connection
• NUTM-13394 [Basesystem] Openssl Vulnerability – CVE-2022-0778
• NUTM-13421 [Basesystem] Upgrade Apache to 2.4.53 (UI) – CVE-2022-22720
• NUTM-13326 [UI Framework] Identify 32-bit or 64-bit build in WebAdmin footer
• NUTM-13419 [WAF] Upgrade Apache to 2.4.53 (WAF) – CVE-2022-22720
• NUTM-13363 [Wireless] Integrate updated APX firmware version 11.0.019
• NUTM-13433 [Wireless] AP/APX : Openssl Vulnerability – CVE-2022-0778

The post Sophos UTM 9.711-5 update released appeared first on Network Guy.

This update removes the end-of-life SSLVPN client. It is no longer available to download from the User Portal. For more information see this end-of-life notice and this vulnerability disclosure.

With the standalone IPSec client also reaching end-of-sale on 30 March 2022, we have refreshed the remote access page of the User Portal to better support Sophos Connect. Sophos Connect is the recommended alternative to the old SSLVPN and IPSec clients. Download links on the User Portal now direct users to the Sophos Connect section on our downloads page. Configuration links have been updated to provide certificate packages and settings that can be imported by Sophos Connect to get users up and running quickly.

Sophos Connect client should be able to work with any IPSec or SSLVPN configuration you already have set up. Here are some additional links to help understand how it works.

• Sophos UTM: Install and configure Sophos Connect for remote access SSL VPN
• Sophos UTM: Install and configure Sophos Connect for remote access IPsec

Other news

• Maintenance release
• Security release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12592 [Basesystem] Use Only Secure Ciphers for UTM SSH Server
• NUTM-12784 [Basesystem] Patch BIND vulnerabilities (CVE-2021-25214, CVE-2021-25215, CVE-2021-25219)
• NUTM-13101 [Basesystem] Patch Strongswan Vulnerability (CVE-2021-41991)
• NUTM-13119 [Basesystem] Patch Binutils Vulnerability (CVE-2021-3487)
• NUTM-13144 [Basesystem] Remove SSLVPN client downloader from UTM
• NUTM-13192 [Basesystem] Use Secure Key Exchange Algorithms for SSH
• NUTM-13203 [Basesystem] snmpd high memory for snmpwalk v3
• NUTM-12615 [Configuration Management] Root password hash exposed via confd*.log (CVE-2022-0652)
• NUTM-13013 [Email] Upgrade Exim to v4.95
• NUTM-13200 [Email] OAEP RSA padding mode still uses SHA-1 in S/MIME
• NUTM-13267 [Email] SQLi in the Mail Manager (CVE-2022-0386)
• NUTM-13071 [Logging] IPFIX reporting transferred data on wrong direction
• NUTM-12885 [Network] IPS exceptions issue
• NUTM-12987 [RED] Issue with RED tunnel on BO after disconnecting PPPoE
• NUTM-12936 [Web] Add configuration for overriding warn page to proceed link protocol (Standard Mode SSO)

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.709003-710001.tgz.gpg

The post Sophos UTM 9.710-1 update released appeared first on Network Guy.

Today I am going to talk about a problem with my company’s wildcard certificate.

Because I wanted to display the Clearpass captive portal without certificate errors. I tried to import our company wildcard certificate. And in doing so, I encountered the following problem:

Here we have the problem that the certificate chain for the Clearpass is in the wrong order. Many systems like the Aruba Mobility Controller or Sophos SG don’t seem to care if the chain goes from root to server certificate or from server certificate to root CA. But not the Clearpass :D

The solution

The only thing that helps here is to rebuild the certificate chain. First, we need the root CA and all sub CAs. The easiest way to get this is from a system where the wildcard certificate is already integrated. For example, the Sophos SG Firewall.

extract the root and sub CAs

To do this, simply go to the Sophos SG webadmin or user portal  with the Google Chrome browser and display the certificate.

Als erstens Exportierst du das Root CA.

Click on the Root CA. Than details and Copy to files

Save the certifiact as base 64

save it under the name CA1.cer

Repeat the steps for the two sub CAs.

build the certificate chain

Now you have to detach the single certificate and the private key from the wildcard package without a certificate chain. The easiest way to do this is with openssl in a Linux machine. I have a Windows subsystem for Linux on my computer. Copy the wildcard certificate and the 3 certificates CA1 to CA3 into the home directory of the Linux machine.

For Ubuntu:
Detach the public and private keys from the certificate.

sudo -s
openssl pkcs12 -in networkguy.pfx -clcerts -nokeys -out networkguyStar.cer
openssl pkcs12 -in networkguy.pfx -nocerts -nodes  -out networkguyStar.key

With ll you can now see that you now have the public key “networkguyStar.cer” and the private key “networkguyStar.key”.

Now we need to build a new wildcard certificate where the certificate chain has the order required by the Clearpass. The Clearpass wants the wildcard certificate first, then the sub CAs and finally the root CA.

The following command is required for this:

cat networkguyStar.cer CA3.cer CA2.cer CA1.cer > networkguyStarfullchain.cer

Now we have created a chain of certificates suitable for the Clearpass. :D

The Clearpass does not trust the Root or Sub CA

If the wildcard certificate contains a root or sub CA that Clearpass does not know, this must be imported. For this we can simply use the CA1.cer to CA3.cer.
To do this, go to Administration / Certificates / Trust List in the Policy Manager and then click on Add. Select Usage under -Select to Add– Other. Do this with CA1.cer, CA2.cer and CA3.cer.

Then have fun with your Clearpass. (A cool product) :D

Have a nice day!

The post Aruba Clearpass problem with certificate chain appeared first on Network Guy.

• Maintenance Release
• Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12868 [Email] It is not possible to permanently block an IP from the SMTP-Proxy if authentication is enabled
• NUTM-13008 [Email] Public DNS causing blocked connection with RBL
• NUTM-13193 [Email] SPX portal 404 NO SUCH USER after upgrading to 9.708
• NUTM-12791 [Wireless] Address the Frag Attack vulnerabilities for Local Wifi and connected AP devices (see this article for more details)
• NUTM-13263 [Wireless] Integrate updated AP firmware (v. 11.0.017) to address FragAttack issues
• NUTM-12971 [WAF] Update Apache Runtime Library (APR) to address CVE-2021-35940
• NUTM-12861 [WAF] Upgrade Apache to address CVE-2020-13950, CVE-2021-26690, CVE-2021-26691, CVE-2021-34798, CVE-2021-39275, CVE-2021-40438

Download

https://ftp-astaro-com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.708006-709003.tgz.gpg

The post Sophos UTM 9.709-3 update released appeared first on Network Guy.

today I will talk about how you can separate the management vlan from the routing table.
Ok that sounds interesting but why do you want that?
In this scenario, I use an HPE Comware 5900 as a central core switch that routes between the individual VLANs. This means that the switch needs an IP address for each VLAN and can be addressed via this address.
And in addition, the requirement was that the management traffic be routed through a firewall to scan the data stream and block it if necessary.

Logical structure

Now comes the exciting part: Because the switch routes in the network, the management VLAN is accessible from all other networks and routes past the firewall directly into the management VLAN.
This also applies to the Out of Band Management Interface.

seperate the management vlan

To separate the management vlan or the OOBM interface from the routing table, we have to put it into a separate VPN instance.
this can be done with the following commands:

system view
ip vpn-instance Management
interface Vlan-interface666
 description Management-VLAN
 ip binding vpn-instance Management
 ip address 10.69.69.2 255.255.255.0
quit
ip route-static vpn-instance Management 0.0.0.0 0 10.69.69.1
s s f

If we now run a dis ip routing-table, we see that the management vlan is no longer included. And because we have a default route to the firewall, the management traffic is routed through the firewall.
For control you can you enter dis ip routing-table vpn-instance Management to see the additional routing table also with its own default route for the vpn instance.

Securing the remaining VLAN interfaces

OK, the management vlan is now protected by the firewall, but the switch can be reached via all other IP addresses four SSH, HTTPS or similar. Therefore, we now have to create a very very long advanced ACL that contains every IP of the switch. Except for the IP of the management vlan, otherwise no one can access it remotely :D Here it is important to specify only the individual IP of the switch. If you simply block ssh and co for 192.168.0.0/16, all other systems that fall under this IP range will also be affected.

ACL example for 2 VLANs

acl advanced name NoManagementAccess 
 rule 0 deny tcp destination 10.16.55.1 0 destination-port eq 22
 rule 1 deny udp destination 10.16.55.1 0 destination-port eq 22
 rule 2 deny tcp destination 10.16.55.1 0 destination-port eq 80
 rule 3 deny tcp destination 10.16.55.1 0 destination-port eq 443
 rule 10 deny tcp destination 10.18.69.1 0 destination-port eq 22
 rule 11 deny udp destination 10.18.69.1 0 destination-port eq 22
 rule 12 deny tcp destination 10.18.69.1 0 destination-port eq 80
 rule 13 deny tcp destination 10.18.69.1 0 destination-port eq 443
quit
ssf

Now the ACL must be bound to each VLAN interface for incoming traffic.

interface Vlan-interface100
 ip address 10.16.55.1 255.255.255.0
 packet-filter name NoManagementAccess inbound
 dhcp select relay
 dhcp relay server-address 192.168.0.66
 dhcp relay server-address 192.168.0.67
interface Vlan-interface101
 ip address 10.18.69.1 255.255.255.0
 packet-filter name NoManagementAccess inbound
 dhcp select relay
 dhcp relay server-address 192.168.0.66
 dhcp relay server-address 192.168.0.67
quit
ssf

The what, now the management interfaces of the core switch are only accessible via the firewall exclusively under the management vlan ip.

You don’t have to change anything for the edge switches, because they only have one IP from the management VLAN and then route via the firewall anyway.

Have a nice day!

The post HPE Comware how to separate the management vlan from the routing table appeared first on Network Guy.

today is Christmas Eve!

Unfortunately, there is only one small Christmas tree this year :)

I wish all of you nice Christmas days, a successful start to the new year 2022
and stay healthy!

The post Merry Christmas and a happy new year! appeared first on Network Guy.

• Maintenance Release
• Security Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-12646 [Access & Identity] User E-Mail addresses won’t be synced properly
• NUTM-12873 [Access & Identity] GUI issue with selecting Inbound/Outbound ipsec debug option
• NUTM-12904 [Access & Identity] DUO authentication fails back to AD with success
• NUTM-12434 [Basesystem] Yukon, Canada region timezone set to stop using DST
• NUTM-12507 [Basesystem] Getting error message for command ‘last’
• NUTM-12717 [Basesystem] Resolve OpenSSL issues – Remove DH cipher support – (CVE-2020-1968) & (CVE-2021-3712)
• NUTM-12748 [Basesystem] Address underscore.js vulnerability (CVE-2021-23358)
• NUTM-12739 [Email] E-Mails stuck in SMTP spool due to Sandstorm Scan
• NUTM-12798 [Email] SPX doesn’t work with “&” in the email local part
• NUTM-12875 [Email] PCI compliance scan failure due to exim ciphers
• NUTM-12932 [Email] Exim coredumps
• NUTM-12934 [Kernel] Fully implement RFC5961 compliance for SYN packets (CVE-2004-0230)
• NUTM-12385 [Logging] Automatic log deletion by age of log file not working correctly.
• NUTM-11404 [Network] Sierra Wireless MC7430 Qualcomm® SnapdragonX7 LTE-A 4G dongle goes down after few hours
• NUTM-12126 [Network] If “Skip rule on interface error” is not used multipath rule doesn’t work as expected
• NUTM-12184 [Network] WAN interface switched to DHCP
• NUTM-12519 [UI Framework] Post-auth SQLi in User Portal (CVE-2021-36807)
• NUTM-12524 [UI Framework] Add Cache-Control header for Web Admin and User Portal
• NUTM-13002 [UI Framework] AutoComplete Attribute Not Disabled for Password in Form-Based Authentication
• NUTM-12680 [WAF] Unable to renew Let’s Encrypt Certificate
• NUTM-12285 [Web] Avira scan fails for certain files during upload through Webproxy
• NUTM-11712 [Wireless] Built-in Wireless with two bridge to AP LAN errors and instability
• NUTM-12199 [Wireless] Issue with the certificate chain for Let’s Encrypt when used for hotspot
• NUTM-12372 [Wireless] LocalWiFi : Intermittently unable to connect to the Wireless SSID
• NUTM-12859 [Wireless] IPTtables rules are not created for AP being part of ‘Access Point Group’

Download

https://ftp.astaro.com.s3-eu-west-1.amazonaws.com/UTM/v9/up2date/u2d-sys-9.707005-708006.tgz.gpg

The post Sophos UTM 9.708-6 update released appeared first on Network Guy.