[c-nsp] Pix FOS

Afsheen Bigdeli afsheenb at gravityplaysfavorites.net
Tue Jan 2 17:39:39 EST 2007 

...according to the Bug Toolkit, maybe, but I can verify the behavior 
still exists in 7.2(1) - I found out the hard way last week.

More to the point, there are quite a few bugs related to inspection in 
general and inspect http in particular for the 7.x branch at the moment 
- and as it's enabled by default, it's worth thinking twice to see if 
you need it or if it can be turned off.

--afsheenb

Joseph Jackson wrote:
> That bug you've listed was resolved in 7.0(5)
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Afsheen Bigdeli
> Sent: Tuesday, January 02, 2007 2:16 PM
> To: Voll, Scott
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Pix FOS
> 
> I've successfully upgraded from 6.3 to 7.2, for three different sets of
> firewalls, over the past 6 months. Yes, you can upgrade straight to 7.2.
> 
> Firstly, you'll want this link handy:
> 
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note
> 09186a00804708d8.shtml
> 
> Secondly, as is mentioned in that document, the jump to 7.x from 6.x is
> a big one. Your config will look _very_ different. Be aware specifically
> 
> of the changes to how interfaces (both physical and logical) are
> represented, the implication of changes to the fixup command (i.e. where
> 
> did fixup go, and what does inspect mean, and what traffic should you be
> 
> inspecting?), and what commands have been deprecated by the 7.x train.
> 
> As for recommendations, overall, yes, I'd recommend it. Admittedly,
> there are one or two interesting bugs - inspect http, for example, will
> take out even the PIX 535's with memory utilization problems if you're
> pushing more than a modest amount of http traffic through the firewall.
> (This is covered in CSCsd72617, I believe.) There are also plenty of
> things that make more sense aesthetically - at least to me - if you're
> already used to IOS syntax. That, combined with one or two necessary 7.x
> 
> only commands (e.g. same-security-traffic permit intra-interface) made
> the jump well worth it.
> 
> --afsheenb
> 
> 
> Voll, Scott wrote:
>  > I'm currently running Pix FOS 6.3 but need to upgrade to at least 7.1.
>  > I also see that 7.2 is out. 
>  >
>  > 
>  >
>  > Two Questions:
>  >
>  > 
>  >
>  > I know I need to upgrade from 6.3 to 7.0 in order to upgrade to
> 7.1.....
>  > What do I need to do to upgrade to 7.2?  Can I skip 7.1?
>  >
>  > 
>  >
>  > Is anyone using 7.2?  if so, would you recommend it?
>  >
>  > 
>  >
>  > Thanks
>  >
>  > 
>  >
>  > Scott
>  >
>  > _______________________________________________
>  > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  > https://puck.nether.net/mailman/listinfo/cisco-nsp
>  > archive at http://puck.nether.net/pipermail/cisco-nsp/
>  >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list