UPDATE Offline



  • How to perform offline update in isolated network?



  • Goto https://www.pfsense.org/download/ - download the latest version - save on media
    Goto the site, (re) install from media.

    Packages ... not possible I guess.


  • Rebel Alliance Global Moderator

    you could manually download all the packages and dep... but yeah that would be a real PITA..

    I don't think the download website has like p1 though for 2.4.3 as example

    The support portal has links when you have netgate appliance to even the pX versions. But not sure about the CE versions? I believe the links to like old versions are no longer? The old atxfiles links only give 403 currently.



  • The pkg package manager can use local files for updates but the update system in pfSense has no provisions for such use. Maybe someone can raise a bounty for this feature.


  • Rebel Alliance Developer Netgate

    I have never tried this but you could probably do a pkg fetch of an identically configured instance which has an internet connection and also needs the update, and then grab the contents of that firewall's pkg database and cache and copy it over, then run the update.

    The upgrade script itself does the fetch before it runs so it has all the packages in place locally before running.

    To reiterate, though: untested, may explode, may kill you and hurt the entire time you're dying, may work fine.



  • The way I would do it is to define a local repository to be used during the update. For example if the update files are on an USB memory stick mounted at /media and the root folder of the ready made update repo is at the the /updates folder of the stick the repo definition would look like:

    local: {
        url             : "file:///media/updates",
        enabled         : yes,
        signature_type  : "PUBKEY",
        pubkey          : "/some/public.key",
    
    }
    

    Then you'd have to force the use of this repo with the -r command line parameter for all operations, i.e:

    pkg update -f -r local
    pkg upgrade -r local
    


  • Thanks, i'll see how i can do it.
    but it will be complicated, I have 10 netgate that are physically away from me.

    Do you know if there is a development in progress, to remedy this difficulty?

    and if a central management system is under development?



  • @denisp said in UPDATE Offline:

    but it will be complicated, I have 10 netgate that are physically away from me.

    I'm just curious : where these systems placed, that they are not not connected ?



  • They are placed in a network mpls of a client, who does not have access to internet



  • @gertjan said in UPDATE Offline:

    I'm just curious : where these systems placed, that they are not not connected ?

    I don't know the specifics of this user's situation, but I come from a background of firewall administration in networks associated with electrical power generation and distribution critical infrastructure. There are many places where firewalls protecting critical control networks are forbidden by federal regulations from having Internet access. In fact they can't even have inbound access from business networks of the company. The control networks are isolated from business networks and the Internet by one-way data diode boxes that allow traffic outbound from the critical network for monitoring purposes, but nothing can come into the control network from outside.

    Providing update capabilities for these isolated networks is something most vendors fall short on both with firewall and anti-virus products. Having a workable offline update process would be a market advantage in my opinion.



  • @bmeeks : Thanks for the extra insight.

    An easier updating system, I understand the question better know.
    But also : these systems seem pretty mission-critical to me. The fact that they are isolated takes away all forms of "firewall aggressions" from the outside.
    I guess this means an administrator should upgrade to a stable version thats out there for several weeks or even months. This version should be test-driven on comparable non-critical systems - and if it behaves well for some time (more weeks ?), only then an on-site deployment should be considered.

    For mission-critical installation that can't be reached by humans easily, I would could call the NASA for advice, they have some experiences with isolated systems (and still, some Apollo flight did have there "update stories") ☺



  • @gertjan said in UPDATE Offline:

    But also : these systems seem pretty mission-critical to me. The fact that they are isolated takes away all forms of "firewall aggressions" from the outside.

    Being isolated does not necessarily reduce risk. The biggest threat is human error with portable media (USB sticks, flash memory cards, etc.) that can "migrate across" those data diode devices I mentioned. Of course there are many rules and procedures governing portable media control, but any process with a human involved can break.

    The firewalls are used to segment various control and monitoring networks and plant systems from each other. They provide routing between control networks when necessary and police the traffic that passes to insure it is authorized and expected. So really not any different from what firewalls do at the perimeter of any network and the Internet. You want to keep your firewall software somewhat current to stay ahead of any known flaws.

    Anti-virus software updates are another problem in need of a good offline update solution. Again, because of the threat posed by USB devices and other portable media, you want your workstations on control networks running AV. But AV quickly becomes useless without weekly and sometimes daily updates.

    All of this is a big headache for the cybersecurity guys working the nation's critical infrastructure ... 😓


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy