So I’ve rebuilt several this week and I thought I’d done then another CVE dropped though this latest one says it doesn’t need a factory reset it “just” needs the patched firmware.
I’m beyond pissed at the state of Ivanti right now but these boxes are super granular in what they can do so I’m kind of torn and of course some of it is the customers choice whether they wish to pay the cost to migrate away from Ivanti.
But to what?
So if you need the feature set and with no guarantees of no issues with any product what are you doing?
We’re watching for further 0 day threats and accelerated the migration to a different product.
I can’t see these devices surviving much longer, who would purchase them now? With no new customers they will go eol. They’ve not put much effort into them for years.
It’s a shame as they’ve been reliable up to recently.
My teammates had a hell of a week. First rebuilding all boxes and then patching again a day later. There were already talks of going to other product even before this disaster as some devices go EOL this year. Now efforts accelerated 10x. Daily calls, figuring out feature set, which products to POC, getting all teams on board. So far it seems Palo Alto is the favorite pick. Netskope is used for proxy here and it seems they also provide ZTNA, so they are also on the list. And the usual suspects as Zscaler and such. I heard a comment from one IT Director that Ivanti now will be more focused on securing their product than adding new features and he doesn’t want to continue with them. They are already lagging on providing some highly required features anyway.
have factory reset 6 so far and had to deploy a new one in Azure (because you cannot factory reset a PSA VM). Their support has become very slow as well. Cannot wait to drop this nonsense product.
I have zero faith in Ivanti now. Too many vulnerabilities and their tech support is practically useless. Here’s an example. They told me to block unnecessary connections being made from the IP addresses of the appliances, and I asked for clarification.
QUESTION: From the INTERNAL IP addresses of the ISA6000 appliances, I know that I need to allow connections to my SYSLOG server, NTP server, SNMP TRAP server, and FTP server. Will I interfere with the functions of the ISA6000, if I block all other connections initiated from the ISA6000 INTERNAL IP addresses?
IVANTI ANSWER: “It’s crucial to ensure that blocking these connections aligns with the intended network security policies and doesn’t disrupt necessary operations or communication within your network infrastructure.”
If you’re ready to move on, then Cloudbrink is worth a look (my company). Cloudbrink founders came from Ivanti (Pulse Secure) and saw a better way for remote access solution. We’ve taken on several ex-Ivanti clients this year for similar reasons. Improved security and performance and manageability (and price)! All the good things
Didn’t even know it was this long, but I was using one of these for 10 years, back to a Juniper MAG physical appliance into Ivanti PSA-V. I only used it for client and some minor clientless VPN and absolutely loved the granularity, the installer service that lets end users accept upgrades pushed from the box, the stability of VPN connections… no one else did everything it can do.
I was already looking at replacement’s in general because my PSA-V was EoL, would soon be EoS, and they wanted me to 100% re-purchase my entire investment into the new ICS VM at absolutely bonkers pricing.
Never final decisions were made because that company ended up winding down operations and the little bit remaining are using the windows native client to a FortiGate firewall. But, I was likely going to end up with ASAv to strictly use AnyConnect or a PAN VM to strictly use GlobalProtect. Those are the 2 best traditional options on the market, and are very similar in everything they can do.
Obviously was looking into ZTNA but nothing seemed like the right fit yet when you factored in we had a lot of on-prem monolithic services, the cost vs. the traditional options mentioned above was quite a bit higher, and various oddities/tradeoffs with every solution to date.
Perform the factory reset as per documentation. Make sure you have all the images available so that you can do the upgrades once the devices are disconnected from the External port. Else you will run into an issue that you cannot perform upgrades due the factory reset image is to old and the newer image is a step to big. Give Ivanti a call to ensure they have released them for you.
