Question No Internet and Local Firewalls Block FTP

[LoopBack]

I have a scenario I've been through a few times during my career as a Network Engineer. I'm curious how others have handled this, or think of the scenario. I know there are holes in the scenario, and lots of questions, but think of worse case issues here from your experiences.

Scenario:

Suppose you had a config file or firmware failure on a switch (or any common network equipment) that caused it to go offline. You need to obviously get it working again, but you also have no Internet connection to use FTP, SCP or similar to get updated firmware or configs from a remote office server. You also have all 3 Windows firewalls blocking all inbound traffic on your laptop, per security requirements. You have a console cable to access the switch. These are obviously managed switches like Brocade, Cisco, Dell, HP, etc. The Internet is unavailable because it's either not been setup yet, or this switch failure caused it to go down. What would you do to get the switch working again?

 

[mxnerd]

Use a smartphone as a hotspot to get online?

Get the file , transfer it to a PC then update the switch.

 

[LoopBack]

Use a smartphone as a hotspot to get online?

Get the file , transfer it to a PC then update the switch.

The PCs firewalls are blocking inbound connections. So when making an FTP request to that PC from the switch to get the file the PC would block it.

 

[mxnerd]

Download Teamviewer using the smartphone, transfer it a PC. Run Teamviewer, then remote control that PC.

Disable the firewall temporarily for that PC. After the switch firmware update, turn firewall back on.

 

[LoopBack]

Download Teamviewer using the smartphone, transfer it a PC. Run Teamviewer, then remote control that PC.

Disable the firewall temporarily for that PC. After the switch firmware update, turn firewall back on.

I should have explained the firewall on the PC is enabled via GPO, so the end user has no control over the firewall.

 

[mxnerd]

I should have explained the firewall on the PC is enabled via GPO, so the end user has no control over the firewall.

Don't you have local administrator account on that PC? I would reserve local admin's account for any domain.

==

BTW, you can update directly from a smartphone or you absolutely need a PC?

 

[LoopBack]

You know, I'm not entirely sure how the local admin account is being administered. I know if you try to change the firewall settings as a domain user it won't work. I'm not a Group Policy expert, so I'm not entirely sure how that works. I'll have to dig in further to that.

How would you update from a phone? I've not done that before. How would you connect the switch (or whatever network device) to the phone, or vice versa? I have an iPhone so my guess is that won't work. (Thanks Apple!)

Maybe, I'm putting too much mystery over this. I've done this several times in the past, but I'm not sure if I was lucky or my over preparation saved my bacon. This is why I'm asking, to find out if others have done this.

I simply used the console cable to connect to the switch. I generally reboot first to see if that will fix it, it probably won't but you'll see the messages and errors on boot explaining what the problem is. Often if the config file or firmware is corrupted you'll be able to boot into a secondary flash on a switch, which hopefully has uncorrupted configs and firmware. Even if the firmware and configs are dated it should allow the switch to boot up and allow you to reconfigure to connect to the network, and get that switch access to the remote file server for a firmware/config update.

If my luck has really been poor and both the primary and secondary flash files are bad, or the secondary flash files were never loaded then I boot into rommon and do a factory reset. This will restore the factory firmware and wipe the config. Again this should allow me to configure the switch to the point where I can get it on the network. If a factory reset doesn't work then the switch likely needs to be RMA'd anyway. Firewalls, especially the more popular next-gen firewalls, generally have a safe mode to boot into with options to reset or configure enough to get online.

In this scenario, for me anyway, using the PC as a file server or making those inbound connections was never necessary. So having the 3 firewalls blocking all inbound traffic wasn't an issue.

I guess I should ask now, is there a scenario where blocking inbound traffic to your local PC would prohibit a Network Admin/Engineer from rebuilding a broken network? Load balancers? Firewalls? Switches? Routers? Wireless Controllers and APs?

 

[mxnerd]

I'm more of a software network guy, not a hardware switch guy although I did take some basic CCNA classes in the past.

Besides the console access, doesn't the switch have TELNET/SSH access? Can't the smartphone connect to a wifi access point in the environment so it can access the switch through TELNET/SSH APPs? So when the switch can't be accessed remotely meaning it can only be accessed through serial console?

Regarding Windows firewall, if you are a local admin, you can do whatever you want on that PC.

 

[ch33zw1z]

Boot PC to Linux live CD and run your tftp server from there.

Connect via console to manage switch.

These both assume you have local access to the switch.

Endless scenarios.