FSPMS 15.30 offline software update

Tomarppe
Tomarppe W/ Alumni Posts: 2 Security Scout
edited August 2022 in WithSecure Business Suite

Hi,

I have a security level 3 system that does not allow any connections to the outside including proxies.

The only way to bring outside updates etc. is e.g. by disconnecting a server from the internal network and connecting it to the internet, download the updates, disconnect the public net, do a viruscheck and then connect it to the internal network.

Is there a way that e.g. FSPMS Proxy could be configured so that it would download all the required updates for software updater, when connected to the outside network and then serv them to the internal network when disconnected from the external network and connected to the internal?

This can be done for the virus definitions using the supplied tool (import-f-secure-updates.bat) but I have not find anything for the software updates.

I could not fins any documentation on this, but I might just be bad at searching...


Br, Tom

Best Answer

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    Answer ✓

    Hi Tom,

    Policy Manager does not know about needed installers beforehand, it downloads them on the fly: client request – PM downloads. In theory, it is possible to fetch the list of requested URL out of the request.log, disconnect PM from the local network, connect it to the internet and call the whole list of URLs via curl or similar tool. Once PM gets all installers cached, disconnect it from the internet, connect to the LAN and run the SWUP deployment again.

    Please note that PM caches SWUP download failures (1 hour by default, can be tweaked with the swup.cache.ttl.failedToDownloadEntries additional_java_args) and thus won’t retry to download updates requested for the past hour.

    Implementing the tool similar to import-f-secure-updates.bat is tricky and does not fit most of “isolated” needs: it has to fetch some data from PM first, while import-f-secure-updates.bat is a one direction tool and nothing is transferred from the isolated network to the connected one.

     

    As for chaining PM via the PMP to the internet – this setup is not supported for SWUP installers, GUTS2 is the only supported protocol.

Answers

This discussion has been closed.