Submit a ticketCall us
Home > Success Center > Log & Event Manager (LEM) > Active Response is unable to block an IP address

Active Response is unable to block an IP address

Updated April 17, 2017

Overview

LEM can trigger a rule (which creates an SSH session to the firewall) to block an IP address on the firewall.
The SSH session uses Triple Data Encryption Standard (3DES) to authenticate to the firewall, and then block the IP address.
The LEM Active Response tool fails to authenticate to the firewall when firewall vendors change the default level encryption to block 3DES.

 

Environment

LEM 6.3.1 and earlier

 

 

Cause 

The issue is caused when firewall vendors change the default level encryption to block an IP address. 

Pre-requisites

  • Latest LEM version
  • Latest LEM connectors
  • Current hotfix 

Resolution

  1. Increase the logging level for the SSH Active Response to access the firewall.
    1. Establish a root access to LEM.
    2. Create /usr/local/contego/run/debug.conf and enter the following: com.trigeo.puma.toolactions.tool.SSHTool=12
      com.trigeo.core.tools.toolcontroller.toolwrap.ToolWrapControllerImpl=12
      com.trigeo.core.tools.toolcontroller.channel.ChannelImpl=12
      com.trigeo.core.tools.toolcontroller.session.SessionImpl=12
      com.trigeo.core.tools.toolcontroller.operation.ControllerOperation=12

      Include any of the following:

      com.trigeo.puma.toolactions.session.CiscoIOSSession=10
      com.trigeo.puma.toolactions.session.CiscoPIXSession=10
      com.trigeo.puma.toolactions.session.FortigateSession=10
      com.trigeo.puma.toolactions.session.NetscreenSession=10
      com.trigeo.puma.toolactions.session.SonicWallNonWebSession=10
      com.trigeo.puma.toolactions.session.TippingPointSession=10
      com.trigeo.puma.toolactions.session.TopLayerSession=10
      com.trigeo.puma.toolactions.session.WatchGuardFireBoxSession=10
      com.trigeo.puma.toolactions.session.WatchGuardVClassSession=10
    3. Stop the Manager service: /etc/init.d/lem-manager stop
    4. Edit /usr/local/contego/run/manager.conf and add the following line: OutputLevelFile=debug.conf
    5. Start the Manager service: /etc/init.d/lem-manager start
  2. Allow LEM to block or attempt to block the firewall IP address.
  3. Collect the debug and send this to our developers for updating the cipher function in the Active Response.
  4. Stop the Manager service, remove the added line to manager.conf, and restart the Manager service.

    Note: You can also remove the debug.conf, but it is optional.

  5. Advise the customer that we are working on this issue.

 

It is possible to change the Cisco configuration to set the default encryption to include 3DES:

Always refer to Cisco documentation for precise configurations.
Below settings are temporary, and should be changed back once the LEM Active Response connectors are updated.

  1. Log in to Cisco.
  2. Enter the following:

    asa# en

     

    asa# config t

     

    asa# show ssh ciphers

    Shows all possible ciphers.

    asa# show ssh | inc Cipher

    Shows enabled cipher functions. Look for 3des-cbc followed by AES & others. If  3des-sbs is missing, the medium level default was configured, and not the low.

    asa# ssh cipher enc low

    Changes to use the low ciphers, enabling 3DES.

    asa# write mem Or use your command to save configuration changes, and then write the running cfg to start up.

 

 

 

Last modified
17:03, 23 Apr 2017

Tags

Classifications

Internal Use Only