TCP Profiles on NetScaler

TCP configurations for a NetScaler appliance can be specified in an entity called a TCP profile, which is a collection of TCP settings. The TCP profile can then be associated with services or virtual servers that want to use these TCP configurations.

Built-in TCP Profiles

For convenience of configuration, the NetScaler provides some built-in TCP profiles. For a list of built-in profiles, refer to Citrix Documentation – Built-in TCP Profiles.

For a list of options that are available for a TCP profile, refer to Citrix Documentation – ns tcpProfile.

Note: These values can have serious impacts on network performance. Use these values carefully when adjusting them manually in existing profiles, or when creating new profiles.

To specify service or virtual server level TCP configurations

Command line interface

  1. Configure the TCP profile:

    set ns tcpProfile <profile-name>

  2. Bind the TCP profile to the service or virtual server.

    To bind the TCP profile to the service:

    set service <name>

    For example:

    > set service service1 -tcpProfileName profile1

Configuration utility

  1. Configure the TCP profile.

    Navigate to System >Profiles > TCP Profiles, and create the TCP profile.

  2. Bind the TCP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the TCP profile, which should be bound to the service or virtual server.

Related:

  • No Related Posts

Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass Vulnerability

A vulnerability in the Local Packet Transport Services (LPTS) programming of the SNMP with the management plane protection feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to allow connections despite the management plane protection that is configured to deny access to the SNMP server of an affected device.

This vulnerability is due to incorrect LPTS programming when using SNMP with management plane protection. An attacker could exploit this vulnerability by connecting to an affected device using SNMP. A successful exploit could allow the attacker to connect to the device on the configured SNMP ports. Valid credentials are required to execute any of the SNMP requests.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-7MKrW7Nq

Security Impact Rating: Medium

CVE: CVE-2021-1243

Related:

  • No Related Posts

SolarWinds Orion Platform Supply Chain Attack

Due to the recent announcement by SolarWinds regarding compromises in their supply chain, SolarWinds has released a security advisory providing guidance on assessing and remediating this issue: https://www.solarwinds.com/securityadvisory

Cisco recommends that customers assess if they have used an affected version of SolarWinds Orion Platform and, if so, take the following actions:

  1. Follow the guidance provided in the SolarWinds Security Advisory.
  2. Determine the need to change credentials on all devices being managed by the affected SolarWinds platform software. This includes:
    • User credentials
    • Simple Network Management Protocol (SNMP) version 2c community strings
    • SNMP version 3 user credentials
    • Internet Key Exchange (IKE) preshared keys
    • Shared secrets for TACACS, TACACS+, and RADIUS
    • Secrets for Border Gateway Protocol (BGP), OSPF, Exterior Gateway Routing Protocol (EIGRP), or other routing protocols
    • Exportable RSA keys and certificates for Secure Shell (SSH) or other protocols

While there are no vulnerabilities in Cisco products related to this issue, if a customer was using an affected version of SolarWinds Orion Platform and would like to investigate potential impact to Cisco devices, Cisco has published a number of documents that can help the investigation. Please consult https://tools.cisco.com/security/center/resources/ir_escalation_guidance.

Cisco TALOS has also published guidance regarding this issue that can be viewed here: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html

Customers that need assistance with Incident Response activities can contact Cisco TALOS here: https://talosintelligence.com/incident_response

Cisco will update this advisory as needed, if additional information becomes available.

Security Impact Rating: Informational

Related:

  • No Related Posts

Error: “A problem occurred while creating the license file” on NetScaler

When using a NetScaler VPX appliance, you must allocate the license to the MAC address of the appliance. For more information about NetScaler VPX licensing, refer to CTX122426 – Citrix NetScaler VPX and CloudBridge VPX Licensing Guide.

To allocate the NetScaler VPX licenses using My Account, complete the following procedure:

  1. Log on to My Account.

  2. Select the Activate and Allocate Licenses under the Licensing section.

  3. Select Allocate.

  4. Select the desired NetScaler license and follow the onscreen prompts.

  5. When prompted to enter the Host ID value to allocate the license, enter the MAC address of the appliance in lower case without any dashes or columns.

  6. The MAC address allows you to activate and allocate the license successfully.

Refer to CTX133147 – How to Allocate NetScaler VPX Licenses to get the MAC address of the NetScaler VPX appliance.

If you need to allocate the NetScaler VPX license code manually, refer to CTX131387 – How to Manually Allocate a License on the Citrix Portal.

If this process was done improperly and you have already allocated your licenses, please refer to:

CTX285157

Related:

  • No Related Posts

Cisco Firepower Threat Defense Software SNMP Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to restart unexpectedly.

The vulnerability is due to a lack of sufficient memory management protections under heavy SNMP polling loads. An attacker could exploit this vulnerability by sending a high rate of SNMP requests to the SNMP daemon through the management interface on an affected device. A successful exploit could allow the attacker to cause the SNMP daemon process to consume a large amount of system memory over time, which could then lead to an unexpected device restart, causing a denial of service (DoS) condition.

This vulnerability affects all versions of SNMP.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snmp-dos-R8ENPbOs

This advisory is part of the October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 17 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2020-3533

Related:

  • No Related Posts

Configure “-denySSLReneg” Parameter to Disable Client Side and Server Side SSL Renegotiation on ADC

Run the following command from the NetScaler command line interface to use -denySSLReneg parameter:

set ssl parameter -denySSLReneg <option>

The <option> parameterin the preceding command can take any one of the following values:

Note: Default value is set to “ALL”.

  • NO: Full SSL renegotiation is allowed.
  • FRONTEND_CLIENT: Deny secure and non-secure SSL renegotiation initiated by the client.
  • FRONTEND_CLIENTSERVER: Deny secure and non-secure SSL renegotiation initiated by the client and by the NetScaler appliance during policy-based clientAuth.
  • ALL: Deny secure and non-secure SSL renegotiation for the preceding two cases and for server initiated renegotiation.
  • NONSECURE: Deny non-secure SSL renegotiation to address the vulnerability described in RFC 5746.
  • Note: The NONSECURE option is supported only on NetScaler software release 9.3.e, 10.x and later.

To configure SSL parameters from NetScaler Graphical User Interface, complete the following steps:

  1. Navigate to Traffic Management > SSL > Settings andclick Change advanced SSL settings and from Deny SSL Renegotiation drop-down select the appropriate setting.

    User-added image

    User-added image

Points to Note

  • Currently, the MPX-FIPS platform supports only the following options:

  • NO
  • FRONTEND_CLIENT
  • FRONTEND_CLIENTSERVER
  • ALL
  • SSL renegotiation is disabled by default in NetScaler 10.5 unless the setting is manually changed before an upgrade.

Related: