Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 1540 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrading 17 to 18 experiences would and criticism

SimoXGFW

Hi,

I'm looking for users advice and experience for upgrading to 18, especially directly from 17.5 to latest 18 .

I'm thinking about upgrading in the next days, but we have a critical organization and I'm reading of several criticism especially from NAT rules point of view, anyone can share his experience? I want to upgrade but I cannot disrupt connection or VPNs connections, we are 24/7 available organization, and we have a TON of Policies and NAT rules...

We have an XG330 Cluster in HA mode

Best Regards,

Simone



This thread was automatically locked due to age.
Parents
  • 0

    I was excited to upgrade to 18 because of the added fixes for the DUO DualAuth push timout issue and the upgraded Modecurity modules. Unfortunately a few things we didn't expect went sideways in our deployment with this move. Because the WAF logging is weak at best in the gui we opted to tail the reverseproxy.log out to our Elasticsearch cluster so we could keep a better eye on it. this is possible by scripting an ssh session and invoking netcat to pipe the output to one of our logstash servers. Worked great.. but with the upgrade we needed to add a watch dog to the SSH session because with the new firmware SSH sessions are limited to 15 mins unless poked at. No problem, got around that.. Problem number 2 was that in 18 the country blocking module was no longer working for my WAF pipelines because of something to do with fast path processing routing around the filter for the WAF. That was annoying as well and I ended up having to implement a blackhole DNAT for any offending countries. I was also told that MR5 fixes this issue.. I upgraded and found that this was not true. and not only was that not fixed, in MR5 they removed NC from the OS and my WAF log ingestion would no longer function as I had it. So while I was able to fix my DUO MFA timeout issues, it's been a real treat working around the other "enhancements'. I suspect the SSH timeout and removal of NC were security enhancements,  but I cant help feeling that it was actually because I had shared my methods and this may have thrown up some ???'s So basically we are now stuck at MR4 unless I come up with a way to stream that logfile. We have somewhat outgrown our XG's but the pain of moving on is a valid consideration, especially with all of our optimizations and methods we use to get around the limitations.

Reply
  • 0

    I was excited to upgrade to 18 because of the added fixes for the DUO DualAuth push timout issue and the upgraded Modecurity modules. Unfortunately a few things we didn't expect went sideways in our deployment with this move. Because the WAF logging is weak at best in the gui we opted to tail the reverseproxy.log out to our Elasticsearch cluster so we could keep a better eye on it. this is possible by scripting an ssh session and invoking netcat to pipe the output to one of our logstash servers. Worked great.. but with the upgrade we needed to add a watch dog to the SSH session because with the new firmware SSH sessions are limited to 15 mins unless poked at. No problem, got around that.. Problem number 2 was that in 18 the country blocking module was no longer working for my WAF pipelines because of something to do with fast path processing routing around the filter for the WAF. That was annoying as well and I ended up having to implement a blackhole DNAT for any offending countries. I was also told that MR5 fixes this issue.. I upgraded and found that this was not true. and not only was that not fixed, in MR5 they removed NC from the OS and my WAF log ingestion would no longer function as I had it. So while I was able to fix my DUO MFA timeout issues, it's been a real treat working around the other "enhancements'. I suspect the SSH timeout and removal of NC were security enhancements,  but I cant help feeling that it was actually because I had shared my methods and this may have thrown up some ???'s So basically we are now stuck at MR4 unless I come up with a way to stream that logfile. We have somewhat outgrown our XG's but the pain of moving on is a valid consideration, especially with all of our optimizations and methods we use to get around the limitations.

Children
Unfiltered HTML