Check Point – Upgrade Without Dropping Connections

Check Point firewall upgrades have always been painful. The loss of connection state is a big part of this. Existing connections stop working, and many applications need restart. It looks like there is a way of minimising this pain on upgrade.

Stateful firewalls record the current ‘state’ of traffic passing through, so they can recognise and allow reply or related traffic. If you have a firewall cluster, they need to synchronise state between the cluster members. This is so that if there is a failover, the new Active node will be aware of all connections currently in flight.

If you have a failover, and the standby member is NOT aware of current connection state, it will drop all currently open sessions. Any packet that isn’t a SYN packet will get dropped, and the applications need to establish new connections. Some applications handle this well – especially those that use many short-lived connections such as HTTP or DNS. But other applications that have long-running connections – e.g. DB connections – may struggle with this. They think the connection is still open, and take a long time to figure out it’s broken. They may eventually recover on their own, or they may Continue reading

CCIE sponsorship proposal example

Departing the lovely, sterile, electronic testing center after passing the final CCNP Route/Switch exam, and I’m on the way to the local pub to celebrate. You know what I’m already thinking about: gotta ride that wave, right? Stoke the flames, feet off the pedals down the hill, ride the momentum up the next, and all […]

Author information

quingenerd

Network Engineer at Healthcare Specialty Benefits Management company

Quentin Demmon is network engineer, hobbyist weightlifter (the type you see at the Olympics), and wannabe philosopher. He is excited to be blogging about his CCIE journey in gory, melodramatic detail. Follow him on twitter, facebook, and instagram.

TwitterFacebookLinkedIn

The post CCIE sponsorship proposal example appeared first on Packet Pushers Podcast and was written by quingenerd.

HP IMC Silent Installation

HP IMC installation is normally a manual process, with plenty of clickey clickey clickey. This is OK for production systems, as most sites will only have one or maybe two IMC servers. But for my lab, I wanted to automate the install, so I can quickly spin up a new lab system. I have now found an undocumented, unsupported way of doing this.

There’s two parts to this – preparing the underlying OS & DB, and installing IMC. I am writing Ansible playbooks to handle the OS + DB setup. That’s working, but it needs a bit of cleanup. Once that’s done, I’ll integrate it with Vagrant. Then I should be able to completely automate the install of a lab IMC system. I will write another post on that once it’s complete.

To install IMC silently, create an “install.cfg” file to define your settings. Then tweak the installation script to call the silent installer, not the interactive install.

FCC will vote next month on plan to share valuable 3.5GHz spectrum

The U.S. Federal Communications Commission will vote April 17 on a spectrum-sharing plan for a band that could serve the military, mobile service providers and individuals.The CBRS (Citizens Broadband Radio Service) would open up frequencies from 3550-3700MHz to three classes of users, including owners of new mobile devices who could use the service like they do Wi-Fi. The FCC vote comes after several rounds of study and public comment on the proposal for more than two years.In that time, growing demand for wireless spectrum has boosted pressure on the government to share or auction off some of the many frequencies it exclusively controls. Bandwidth-hungry services like streaming video and audio, plus wireless links for a growing array of connected devices, are expected to eventually place strains on the spectrum currently allocated to wireless data.To read this article in full or to leave a comment, please click here

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml \
    | sed -r '/status_rate/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/\2 \1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js \
    | sed -r '/wan_conn_volume_list/{N;s/.*\[.//;s/[^0-9]\],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/\1 \2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

• Internal Continue reading

Scraping data from a BT home hub 5

If you have BT broadband and want to graph the synced speed and actual use of your broadband connection, and you use the BT provided router (Home Hub), then you can’t use SNMP to get these counters. But you can get the data over HTTP without too much trouble. Here’s some ugly one-liners for doing that.

Current byte counters on the Internet interface (down/up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^[0-9]+ ([0-9]+) ([0-9]+)$/1 2/g;p};d'

Current synced up speeds in bps (down / up)

curl -s 192.168.42.1/nonAuth/wan_conn.xml 
    | sed -r '/status_rate/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/^([0-9]+) ([0-9]+) [0-9]+ [0-9]+/2 1/g;p};d'

Misc note

First I tried this. And it appeared to work. But only if someone had logged in to the web UI recently.

curl -s 192.168.42.1/cgi/cgi_ad_B_Internet.js | sed -r '/wan_conn_volume_list/{N;s/.*[.//;s/[^0-9]],$//;s/%3B/ /g;s/.* ([0-9]+) ([0-9]+)$/1 2/g;p};d'

But then I try it on a different machine and… Oh… oh no. Oh say it ain’t so. Don’t tell me the BT home hub security is based on IP address? Oh… oh it is.

In conclusion

Yet another reason these routers are completely retarded. Other examples:

• Internal databases Continue reading

Intel could strengthen its server product stack with Altera

Intel’s chips dominate servers in data centers, but the possible acquisition of Altera could help the company provide a wider variety of custom chips designed to speed up specific applications, analysts said on Friday.Intel is in talks to acquire Altera, which has a market capitalization of $10.4 billion [B], according to a report in the Wall Street Journal. Intel and Altera declined to comment on negotiations or any deal.Altera makes FPGAs, which are specialized chips that can reprogrammed to run specific tasks at much higher speeds than CPUs. Intel makes Altera’s FPGAs in its factories and has also mentioned plans to use FPGAs with its server chips.To read this article in full or to leave a comment, please click here

Kleiner Perkins cleared of sex discrimination against Ellen Pao

A jury has found mostly in favor of Kleiner Perkins Caufield & Byers in a historic lawsuit accusing one of Silicon Valley’s best-known venture capital firms of sex discrimination.The jury found against Ellen Pao on three out of four claims, including whether her gender was a factor in Kleiner Perkins’s decision not to promote her, according to reporters tweeting from the courtroom Friday.There was some confusion after the verdict was read, however, because the jury of six men and six women did not reach a sufficient majority on one question: whether Kleiner Perkins retaliated against Pao by terminating her employment after she complained that she was discriminated against.To read this article in full or to leave a comment, please click here

Facebook reveals the logic behind its forced Messenger split

Facebook annoyed and puzzled many people last year when it forced them to download its Messenger app for chats. Its reasons for doing so are now clearer: Messenger is becoming a beast of an app, with its own links to outside businesses and software apart from Facebook’s main site.At the company’s F8 developer conference this week in San Francisco, executives pulled back the curtain on the new Messenger. It’s now a storefront and a platform for other mobile apps, which can be downloaded from within Messenger and integrated into people’s Messenger chats. There are more than 40 outside app partners already aiming to spice up users’ conversations with things like personalized GIFs, tools to turn your texts into songs, and even sports animations from ESPN. The apps can be accessed by hitting the “...” button on the Messenger compose screen.To read this article in full or to leave a comment, please click here

Facebook reveals the logic behind its forced Messenger split

Facebook annoyed and puzzled many people last year when it forced them to download its Messenger app for chats. Its reasons for doing so are now clearer: Messenger is becoming a beast of an app, with its own links to outside businesses and software apart from Facebook’s main site.At the company’s F8 developer conference this week in San Francisco, executives pulled back the curtain on the new Messenger. It’s now a storefront and a platform for other mobile apps, which can be downloaded from within Messenger and integrated into people’s Messenger chats. There are more than 40 outside app partners already aiming to spice up users’ conversations with things like personalized GIFs, tools to turn your texts into songs, and even sports animations from ESPN. The apps can be accessed by hitting the “...” button on the Messenger compose screen.To read this article in full or to leave a comment, please click here

SDxCentral News Roundup — March 27, 2015

Guess who's building a hypervisor! Also, Huawei backs ONOS and Red Hat cranks up virtual storage.

Tim Cook plans to donate all his money to charity

On the path to becoming a billionaire, like many prominent tech CEOs before him, Apple's Tim Cook isn't the type of guy prone to blowing large sums of cash on lavish expenditures like yachts, mansions, and fast cars.On the contrary, Cook revealed in a recent in-depth interview with Fortune that he plans to quietly give away all of his money to charity, save of course some money set aside for his nephew's college education. He plans to give away all his wealth, after providing for the college education of his 10-year-old nephew. There should be plenty left over to fund philanthropic projects. Cook’s net worth, based on his holdings of Apple stock, is currently about $120 million. He also holds restricted stock worth $665 million if it were to be fully vested. Cook says that he has already begun donating money quietly, but that he plans to take time to develop a systematic approach to philanthropy rather than simply writing checks.To read this article in full or to leave a comment, please click here

French self-driving car goes for a spin around Paris monument

For this self-driving car, the roadside hazards included traffic jams, undisciplined bystanders—and centuries-old cannons.That’s what you get when you demonstrate your latest technology at the National Army Museum in central Paris, as French companies Safran and Valeo did on Friday.Safran, a defense contractor, and Valeo, an automotive parts manufacturer, kitted out a Volkswagen CC with radar, lidar and all-round cameras for their demonstration, and let it loose on a winding track around the museum grounds. They wanted to show how close the European automotive industry is to its goal of having self-driving cars for sale in 2020.There were no wheel-spins or clouds of dust: This was a simulated urban environment with traffic lights, slow-moving or stopped vehicles ahead, and speed limits of 20 km/h or less. The car glided to a halt a few meters behind a stopped vehicle, moving on as soon as the way was clear; respected stop signals; and slowed gently at a variable sign indicating the speed limit had dropped to 10 km/h. When the curious crowd spilled into the road at the circuit’s finish line, the car pulled up cautiously a few meters short of the line.To read this article in Continue reading

USB Type-C peripherals are on the way, and storage devices are first up

With Apple’s latest MacBook and Google’s newest Chromebook just out and featuring the new USB Type-C connector, we’re on the lookout for peripherals that use the interface, and storage devices appear to be first out of the gate.Because the Type-C connector can be used to recharge laptops, it may ultimately do away with the need to carry bulky power adapters. Like older USB technology, Type-C will also connect monitors, external storage drives, printers, cameras and other peripherals. One beauty of the system is that cables have the same connector on both ends, and can be inserted into ports without worries about which side is up or down.Storage devices will eventually benefit from Type-C’s USB 3.1 protocol, which can transfer data at 10Gbps (bits per second), double that of USB 3.0. But the first peripherals we’re seeing support only USB 3.0 speeds.To read this article in full or to leave a comment, please click here

5 freshly-funded cloud computing companies worth watching

Investors made a crowd around the cloud this week, investing $175 million in companies focused on everything from storage to the WAN to the supply chain.Sure, “the cloud” is a broad term and in reality, what new tech company doesn’t have some cloud angle? But 5 companies that announced funding this week, some familiar to us and some not, all have legit claims on being cloud computing businesses.The big winner of the bunch this week was FinancialForce.com, a San Francisco cloud ERP provider based on the Salesforce1 Platform that touted $110 million in fresh funding led by Technology Crossover Ventures. Existing investor Salesforce Ventures also chipped in. The $110 million, which will go toward product development, sales, marketing and more, adds to $50 million committed about a year ago by Advent International.To read this article in full or to leave a comment, please click here

Build Your CCIE Security Knowledge with Cisco Docs!

A good knowledge of Cisco’s Documentation is what could make a difference in passing or failing the exam. Because of that, I would like to show you how to access most useful Doc CD resources on a per blueprint-section basis. In addition, we will also take a look at the location of a particular document, so you know how to access it without using the Search function. Same thing as what you will have to do to access those resources in the lab.

Unless otherwise mentioned, all documents discussed in this blog are part of Configuration Guides.

1.System Hardening and Availability

Probably the most useful doc here will be for Control Plane features. However, I am going to show you more so you at least know how to find them.

Our starting point for this section is IOS Configuration Guides :
IOS and NX-OS Software -> IOS -> IOS Software Release 15M&T -> 15.2M&T

Routing Protocol Authentication :

IP Routing : RIP -> Configuring Routing Information Protocol
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_rip/configuration/15-mt/irr-15-mt-book/irr-cfg-info-prot.html
IP Routing : EIGRP -> IP EIGRP Route Authentication
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ire-rte-auth.html
IP Routing : EIGRP -> IPv6 Routing : EIGRP Support
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-mt/ire-15-mt-book/ip6-route-eigrp.html
Continue reading

PlexxiPulse—Reflecting on Arrow’s IoT Immersions Conference

We took a short ride to Boston this week’s for Arrow’s Internet of Things Immersions Conference. Dave Husak, our CTO and EVP of products and technology, participated in a panel alongside executives from Arrow, EMC, Intel, NXP and Oracle to discuss the role software defined networking will play in future Big Data deployments. Dave spoke to why innovative infrastructure is necessary to manage mixed workloads and big data jobs of different priorities. Interested in seeing Plexxi in action? We’ll be on the road for the next few months—stay tuned or drop us a line at [email protected] for more information.

Below please find a few of our top picks for our favorite news articles of the week. Have a great weekend!

Light Reading: Open Networking Acronym Soup
By Marc Cohn
During the past few years, software-defined networking (SDN) and network functions virtualization (NFV) have emerged as the next big thing in networking. As a result, we’ve seen established networking standards development organizations (SDOs) such as the ITU, IETF, TMF, among others, leap on the bandwagon to address SDN and NFV. In addition, many new industry groups have been created, including the ONF, ETSI NFV ISG and ONUG, not to mention Continue reading

Congress moves quickly on cyberthreat information sharing

The U.S. Congress is moving forward quickly with legislation that would encourage private companies to share cyberthreat information with government agencies, despite concerns that two leading bills weaken consumer privacy protections.The House of Representatives Intelligence Committee voted Thursday to approve the Protecting Cyber Networks Act (PCNA), just two days after the bill was introduced.The House bill “is a cybersurveillance bill at least as much as it is a cybersecurity bill, and it is written so broadly that it could wind up making the Internet less safe,” Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute [OTI], said by email.To read this article in full or to leave a comment, please click here

F5 & Cisco DemoFriday Q&A + Video: Facilitating & Automating L4-L7 Services Using F5 BIG-IP & BIG-IQ

In a special DemoFriday, we saw how F5 BIG-IQ can manage the delivery of application services in Cisco ACI environments. After the demo, our presenters took some questions. Read the full Q&A now!

New mobile-malware detection technique uses gestures

Mobile malware is a growing problem, but researchers from University of Alabama at Birmingham have figured out a new way of detecting when shady mobile apps get up to no good, such as trying to call premium-rate numbers unbeknowst to a phone’s owner.The technique relies on using the phone’s motion, position and ambient sensors to learn the gestures that users typically make when they initiate phone calls, take pictures or use the phone’s NFC reader to scan credit cards.Some mobile malware programs already abuse these services and security researchers expect their number will only increase.The technology developed by the UAB researchers can monitor those three services and can check whether attempts to access them are accompanied by the natural gestures users are expected to make. If they’re not, they were likely initiated by malware.To read this article in full or to leave a comment, please click here