Firewall Wizards mailing list archives
Re: Scheduling PIX commands
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Tue, 5 Aug 2008 09:48:27 -0400
Yes the xlates should timeout but that all depends on how they are configured. you can create a global timeout or one that is done through your translations such as with the static command. So in short what is the timeout configured for this system, by default i think the timeout is set to 3 hours anyways. So if you went ahead and made the xlate change it should start using the new translation and the old xlate will persist until they are idle for 3 hours (if configured for the default). Now if this system is never idle for 3 hours but there are moments where it is idle for at least one minute you could change the timeout variable for this one translation (if a one to one static is set) or globally for one minute. Once you see that it has been idle for at least a minute then it should start using the new translation. Now this is one convuluted way of doing it whereas a clear xlate should only kill the current active sessions and will be immediately rebuilt on the next couple packets. Kevin On Mon, Aug 4, 2008 at 10:19 PM, Lord Sporkton <lordsporkton () gmail com> wrote:
I know its a good idea to be with in reboot distance of a device if you are changing the configuration, but if all you are doing is clearing the xlate table, i dont see how that could go very wrong. @OP I could be wrong, but wouldnt 99% of your connections time out and clear from the xlate table within 24 hours anyway? If you have to wait till the middle of the night anyway, why not just let it ride out?(not sure if thats acceptable or not in your situation) I ask especially because i have considered this many times myself 2008/8/4 Brian Ford <brford () cisco com>:Ian, This is why you are pad the big bucks (or pounds). Even if there was a way of executing a clear xlate (or any other connection impacting command) you should be sitting in front of a console within a few minutes walk of the actual appliance when you execute the command. You should also be thinking about testing that the Firewall and associated equipment is back up and running properly after the action as part of your change control activity. Liberty, Brian On 7/9/08 12:00 PM, "firewall-wizards-request () listserv icsalabs com" <firewall-wizards-request () listserv icsalabs com> wrote:Date: Thu, 03 Jul 2008 15:22:49 +0100 From: "Ian Rarity" <Ian.Rarity () espc com> Subject: [fw-wiz] Scheduling PIX commands To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv cybertrust com> Message-ID: <486CEECC.30AB.00D5.0 () espc com> Content-Type: text/plain; charset=US-ASCII Hi all, We've just made some changes to our PIX config, and we need to clear the xlates to make the changes fully live. The only problem with this is that we also have another system that will react badly (to put it mildly) to the state of all its connections disappearing when we do this. This system gets an hour's downtime at 2am, so the ideal time to clear the xlates on the PIX seems obvious. The only problem is that, although I'm mainly nocturnal, I really can think of better things to be doing at 2am than sitting in our server room. Does anyone know of a way to schedule commands to run at a specified time on a PIX 6.3 firewall? Ta, IR. ********************************* Ian Rarity Technical Engineer ESPC (UK) Ltd. T: (44)131 624 8000 F: (44)131 624 8509 http://www.espc.com ( http://www.espc.com/ )_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- -Lawrence _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Scheduling PIX commands Christopher J. Wargaski (Aug 01)
- <Possible follow-ups>
- Re: Scheduling PIX commands Rohman, Mike (Chicago) (Aug 01)
- Re: Scheduling PIX commands Brian Ford (Aug 04)
- Re: Scheduling PIX commands Lord Sporkton (Aug 05)
- Re: Scheduling PIX commands Ian Rarity (Aug 06)
- Re: Scheduling PIX commands kevin horvath (Aug 06)
- Re: Scheduling PIX commands Lord Sporkton (Aug 05)
- Re: Scheduling PIX commands Brian Ford (Aug 06)