To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

FSPMS 15.30 offline software update

Options
Tomarppe
Tomarppe W/ Alumni Posts: 2 Security Scout
edited August 2022 in WithSecure Business Suite

Hi,

I have a security level 3 system that does not allow any connections to the outside including proxies.

The only way to bring outside updates etc. is e.g. by disconnecting a server from the internal network and connecting it to the internet, download the updates, disconnect the public net, do a viruscheck and then connect it to the internal network.

Is there a way that e.g. FSPMS Proxy could be configured so that it would download all the required updates for software updater, when connected to the outside network and then serv them to the internal network when disconnected from the external network and connected to the internal?

This can be done for the virus definitions using the supplied tool (import-f-secure-updates.bat) but I have not find anything for the software updates.

I could not fins any documentation on this, but I might just be bad at searching...


Br, Tom

Best Answer

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    Solved
    Options

    Hi Tom,

    Policy Manager does not know about needed installers beforehand, it downloads them on the fly: client request – PM downloads. In theory, it is possible to fetch the list of requested URL out of the request.log, disconnect PM from the local network, connect it to the internet and call the whole list of URLs via curl or similar tool. Once PM gets all installers cached, disconnect it from the internet, connect to the LAN and run the SWUP deployment again.

    Please note that PM caches SWUP download failures (1 hour by default, can be tweaked with the swup.cache.ttl.failedToDownloadEntries additional_java_args) and thus won’t retry to download updates requested for the past hour.

    Implementing the tool similar to import-f-secure-updates.bat is tricky and does not fit most of “isolated” needs: it has to fetch some data from PM first, while import-f-secure-updates.bat is a one direction tool and nothing is transferred from the isolated network to the connected one.

     

    As for chaining PM via the PMP to the internet – this setup is not supported for SWUP installers, GUTS2 is the only supported protocol.

Answers

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    Options

    Hi,

    You may refer to the below help page article for more information on setting up Policy Manager Proxy:

    https://help.f-secure.com/product.html#business/policy-manager/15.20/en/task_6653FE3CB6EA48B6B73DF0497F1190CB-15.20-en

  • Tomarppe
    Tomarppe W/ Alumni Posts: 2 Security Scout
    Options

    Hi Monika,

    I have read that, and the proxy is installed but how do I get all the required software updates "loaded" into the cache as the Policy Manager cannot be connected to it while it is on an external network. Security Class 3 networks do not allow a proxy service to an unsecure network.

    A acceptable solution for a closed network like this would be much like the import-f-secure-updates.bat but for all software updates.

    Br, Tom

This discussion has been closed.

Categories