Tuesday, September 15, 2015

config session ( HOWTO uses )

In the cisco ASA, we have the means to config term but did you know you have a config session  option?

Almost every uses the config terminal in a day to day operations, but the  config session has it's own benefits.


1: Here's a few of the highlights;

> it allows you to deploy configuration at a later time
 ( e.g your working on a large ACL and need to take a cafe break or go out to lunch )

> it provides a delay time to review any configurations before committal
 ( great if you have OPS group that QA fwpolicies changes)

> configuration are manually commit by the user
 ( by the creator or another... great if you a administrator and senior lead you commits the changes after review and approval )

> you can abort or revert any change in the configuration process
  ( e.g your configuration a new ACL for  specific filtering event and later you need to abort  the configuration )

> !!!!!WARNING configuration sessions don't survive reboots/power lost  or synced to any slaves WARNING!!!!

With the config session is easy to deploy. Just craft a name for the session. The name can be any characters and with a limit in the length of the session_name to 32 characters;



in most  MSSP we have used case/tickets# or change_control_numbers# in our names and that seems to works out great


And you can only have a max of 3 config sessions active at any one time and the ASA will deliver a warning if you try to exceed that;


 The session name can also start with !#@  but can not contain any spaces




The uses of the config session is a must in a SOC/MSSP arena where you have numerous changes underway IMHO.

Here's a dialog of a session name TEXT using the session command for a access-list creation



config session test 
     access-list KENFELIX remark BLOG
     access-list KENFELIX  line 10 permit tcp host 1.1.1.1 host 1.1.1.2 eq 22 



notice how the  changes are shown as un-committed, when executing the show configure session command ?




Now we can, at this point either commit or abort the changes after re-execution of our  config session <session name >. If we decide on starting a new session we will be warn of the pending session.



Also the ACL list is not part of the running or saved startup configuration  since it was never committed.



If we so happen to abort the session, all changes would be eliminated.


up to this point nothing has been changed





If we should issue a commit noconform the changes would be pushed into the running-config & the session will be completed and terminated.


It you find any sessions  that needs to be eliminate, please use the clear configuration session command


e.g

show configure session

configure session !123456789012345688901234567890 (un-committed)

clear configuration session  !12345678901234568890123456$

It's advisable to review all pending config sessions  before starting a new sessions



I've worked with a few  SOC groups that fought over configurations and you will find that 2 operators configuring the same item & causing confusion can be avoid.

Good luck

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

No comments:

Post a Comment