Is WatchGuard planning to allow upgrading the firmware to people that have not renewed Live security. Like a one time thing? other companies have done that in the past
@jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.
@james.carson said: @greggmh123
If you're autoreactive for it should be safe. I wouldn't use a service you can't control like a dynamic DNS provider if you can avoid it.
If you want to use static IPs, I'd suggest making an Alias in Setup -> Aliases and using that on your WatchGuard and WatchGuard WebUI policies (that way you only have to update it once, vice 2+ times.)
"If you want to use static IPs, I'd suggest making an Alias..." is what I am already doing for my static IP locations.
"you can't control like a dynamic DNS provider"
I wonder if we can trust any DNS provider, dynamic or otherwise. DynDNS is a huge dynamic DNS provider.
When I try to upload a support.tgz file at https://detection.watchguard.com/Detector, I get an error stating "Error requesting upload URL" and I have to bypass HTTPS/DPI to get the files to upload.
@greggmh123
The TGZ is a G-Zipped Tarball (an archive) so GAV will likely spend some time scanning through it. If making an exception works that's likely the best way to handle it.
OS upgrade doesn't work from either "Download and Install" option nor the "I have an upgrade file" function. The first fails because the servers are down and the second I get 'is_admin' error. So how are we supposed to upgrade then?
This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."
When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
@WGM said:
just curious, in the web detector, if you don't check the "optional box", does watchguard see any of the log files?
The last line on the detector page states, "For information about how data is handled by the Cyclops Blink Web Detector and the other detection tools that WatchGuard provides, see this article."
@james.carson said: @jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.
The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".
@greggmh123 said:
This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."
When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
@Perry said:
The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".
Hello Perry,
You might be using an encrypted version of the support snapshot. Pull it from
FSM / Status Report / Support
or
Web UI / System Status / Diagnostics
@Perry said:
OS upgrade doesn't work from either "Download and Install" option nor the "I have an upgrade file" function. The first fails because the servers are down
@greggmh123 said:
This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."
When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
Hello Greg,
You're correct. It's just how they worded it.
Which part is correct? There were two questions.
The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
The only policy I have with Any-External is the auth page for one client. They authenticate using Duo Security for 2FA, then it opens an RDP port for them. I am going to narrow that down to remove Any-External and use IPs, but the remote users have dynamic addresses. hence why I want to use DynDNS FQDNs.
This whole story is quite disturbing, I understand, I quote verbatim "Persistence on target devices is obtained by exploiting an apparently legitimate firmware update, which guarantees the execution of malicious code even following any reboots of the affected systems", someone me explains...
@Perry said:
The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".
Hello Perry,
You might be using an encrypted version of the support snapshot. Pull it from
FSM / Status Report / Support
or
Web UI / System Status / Diagnostics
I tried from both and same problem. Is it not encrypted because I can open it and read all the text files. They are in the clear.
@Perry said:
The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".
Hello Perry,
You might be using an encrypted version of the support snapshot. Pull it from
FSM / Status Report / Support
or
Web UI / System Status / Diagnostics
I tried from both and same problem. Is it not encrypted because I can open it and read all the text files. They are in the clear.
I found the problem. It doesn't work in Firefox but Works in Chrome. Watchguard should fix this issue.
"Cyclops Blink maintains persistence throughout the legitimate device firmware update process. This is achieved by patching the firmware when it is
downloaded to the device."
Comments
@Bruce,
Correct Bruce. I've only highlighted the dynamic one. "...saved for later use..." as in until the TTL expires. Should've been more clear here.
@Ralph Thank you.
Is WatchGuard planning to allow upgrading the firmware to people that have not renewed Live security. Like a one time thing? other companies have done that in the past
@jeff The fix version (12.7.2 Update 2, 12.5.9 Update 2, and 12.1.3 Update 8, depending on your hardware) should allow an upgrade for any firewall wither it has an active support entitlement or not. The detection tools will also work for any currently supported firewall regardless of support entitlement.
-James Carson
WatchGuard Customer Support
"If you want to use static IPs, I'd suggest making an Alias..." is what I am already doing for my static IP locations.
"you can't control like a dynamic DNS provider"
I wonder if we can trust any DNS provider, dynamic or otherwise. DynDNS is a huge dynamic DNS provider.
Gregg Hill
When I try to upload a support.tgz file at https://detection.watchguard.com/Detector, I get an error stating "Error requesting upload URL" and I have to bypass HTTPS/DPI to get the files to upload.
Gregg Hill
@greggmh123
The TGZ is a G-Zipped Tarball (an archive) so GAV will likely spend some time scanning through it. If making an exception works that's likely the best way to handle it.
-James Carson
WatchGuard Customer Support
OS upgrade doesn't work from either "Download and Install" option nor the "I have an upgrade file" function. The first fails because the servers are down and the second I get 'is_admin' error. So how are we supposed to upgrade then?
Is there a way to upgrade OS from Watchguard System Manager app? If so how?
From WSM, you should be able to open Policy Manager, then upgrade from PM.
Gregg Hill
This site https://www.cisa.gov/uscert/ncas/alerts/aa22-054a states, "Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected."
When it says "remote management interfaces", just exactly what are we talking about? The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
Gregg Hill
WSM Policy Manager -> File -> Upgrade
And you need to have downloaded the OS file and installed it.
Then you can select it in Upgrade.
just curious, in the web detector, if you don't check the "optional box", does watchguard see any of the log files?
The last line on the detector page states, "For information about how data is handled by the Cyclops Blink Web Detector and the other detection tools that WatchGuard provides, see this article."
That leads here https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SOBISA4&lang=en_US
I am working on other stuff and have not read that page yet to know the answer.
Gregg Hill
That is AWESOME NEWS. Thank you, WatchGuard!
Gregg Hill
The WSM tool does not work (inconclusive), and the web detector at https://detection.watchguard.com/Detector doesn't work. I try to upload file "support.tgz" and gives error "Files must be a gzip or tar archive".
Hello Greg,
You're correct. It's just how they worded it.
Hello Perry,
You might be using an encrypted version of the support snapshot. Pull it from
FSM / Status Report / Support
or
Web UI / System Status / Diagnostics
Which CB tool are you using, Management Server ?
Try WSM / Tools and connect directly to device. If the scan errors out, check https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000SOJ2SAO&lang=en_US
.... if you're running the latest firmware.
Back online and servicing upgrade requests..
Which part is correct? There were two questions.
The web UI is obvious, but does "remote management interfaces" include the https://watchguard-IP-address:4100 "WG-Auth" authentication page?
Or does that mean just the web UI and the "WatchGuard" WG-Firebox-Mgmt policy?
The only policy I have with Any-External is the auth page for one client. They authenticate using Duo Security for 2FA, then it opens an RDP port for them. I am going to narrow that down to remove Any-External and use IPs, but the remote users have dynamic addresses. hence why I want to use DynDNS FQDNs.
Gregg Hill
It's the wording they used. The auth page isn't a 'management interface'.No admin anything here.Management users cannot auth. against the Firebox-DB.
This part is correct.
This whole story is quite disturbing, I understand, I quote verbatim "Persistence on target devices is obtained by exploiting an apparently legitimate firmware update, which guarantees the execution of malicious code even following any reboots of the affected systems", someone me explains...
a thousand thanks
I tried from both and same problem. Is it not encrypted because I can open it and read all the text files. They are in the clear.
Yes I tried the other method "Web Detector" and it won't let me upload the file. Errors out with "Files must be a gzip or tar archive" but it is.
I found the problem. It doesn't work in Firefox but Works in Chrome. Watchguard should fix this issue.
I uploaded my support file just fine using Firefox yesterday
@toscanatlc
"Cyclops Blink maintains persistence throughout the legitimate device firmware update process. This is achieved by patching the firmware when it is
downloaded to the device."
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
Perfect! I get it now.
Thank you!
Gregg Hill