The integrity tool can allow an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified file(s).Note:
The Integrity Tool can be used only to check the integrity of the running version of Pulse Connect Secure.
|Pulse Connect Secure Integrity Tool||Download (Download Center at https://my.pulsesecure.net)||MD5 : 33bba986ebef422540dc392af409ab6c|
SHA1 : e4f5a04effeca5d228f448271ffe4990a574bc74
The Integrity Tool is currently supported on the following PCS versions:
|Pulse Connect Secure Version / Build Number||Note (If Any)|
|Pulse Connect Secure-9.1R11.5 (Build 13127)|| |
|Pulse Connect Secure-9.1R11.4 (Build 12319)|| |
|Pulse Connect Secure-9.1R11.3 (Build 12173)|| |
|Pulse Connect Secure 9.1R11.1 (Build 11915)|| |
|Pulse Connect Secure 9.1R11 (Build 11161)|| |
|Pulse Connect Secure-9.1R10.2 (Build 12179)|| |
|Pulse Connect Secure 9.1R10 (Build 10119)|| |
|Pulse Connect Secure-9.1R9.2 (Build 12181)|| |
|Pulse Connect Secure-9.1R9.1 (Build 9701)|| |
|Pulse Connect Secure 9.1R9 (Build 9189)|| |
|Pulse Connect Secure 9.1R8.4 (Build 12177)|| |
|Pulse Connect Secure-9.1R8.2 (Build 8511)|| |
|Pulse Connect Secure-9.1R8.1 (Build 7851)|| |
|Pulse Connect Secure-9.1R8 (Build 7453)|| |
|Pulse Connect Secure-9.1R7 (Build 6567)|| |
|Pulse Connect Secure 9.1R6 (build 5801)|| |
|Pulse Connect Secure 9.1R5 (build 5459)|| |
|Pulse Connect Secure 9.1R4.3 (build 5185)|| |
|Pulse Connect Secure 9.1R4.2 (build 5035)|| |
|Pulse Connect Secure 9.1R4.1 (build 4967)|| |
|Pulse Connect Secure 9.1R4 (build 4763)|| |
|Pulse Connect Secure 9.1R3 (build 3535)|| |
|Pulse Connect Secure 9.1R2 (build 2331)|| |
|Pulse Connect Secure 9.1R1 (Build 1505)|| |
|Pulse Connect Secure-8.3R7.1 (Build 65025)|| |
Integrity Checker Tool Historical Version Matrix
|Release Date||Title||Supported Versions|
|March 26th 2021||package-integrity-checker-11951.1||8.3R7.1 (build 65025), 9.1R7 (build 6567), 9.1R8 (build 7453), 9.1R8.1 (build 7851), 9.1R8.2 (build 8511), 9.1R9 (build 9189), 9.1R9.1 (build 9701),9.1R10 (build 10119),9.1R11 (build 11161), 9.1R11.1 (build 11915)|
|April 15th 2021||package-integrity-checker-12209.1||9.1R8.4 (build 12177),9.1R9.2 (build 12181),9.1R10.2 (build 12179),9.1R11.3 (build 12173)|
|April 18th 2021||package-integrity-checker-12255.1||9.1R1(build 1505),9.1R2 (build 2331),9.1R3 (build 3535),9.1R4 (build 4763),9.1R4.1 (build 4967),9.1R4.2 (build 5035),9.1R4.3 (build 5185),9.1R5 (build 5459),9.1R6 (build 5801)|
|April 19th 2021||package-integrity-checker-12289.1||9.1R11.3:HF1 (build 12235)|
|May 3rd 2021||package-integrity-checker-12363.1||9.1R9.1HF1 (build 10625), 9.1R11.1HF1 (build 12049), 9.1R11.4 (build 12319)|
|June 11th 2021||package-integrity-checker-13145.1||9.1R11.5 (build 13127)|
Version 9.1R11.5 released on 11 June will be the final version supported by the standalone ICT.
Question 1: How do I run the Integrity Tool on Pulse Connect Secure appliances?Answer
1) Can I still use the current release of the ICT?
Yes, the current release of the ICT has proven to be highly effective in discovering malicious activity on the gateway.
2) Has the ICT been circumvented by anyone?
To date, we have not had any reports of a threat actor circumventing the ICT, nor have any of our security partners. However, since it is theoretically possible on a fully compromised system to circumvent the ICT with sufficient time and effort, we are building improved integrity checking capabilities into upcoming releases.
3) When will the ICT replacement be available?
Current delivery date is planned for the 9.1R12 release tentatively scheduled for early August release.
Frequently Asked Questions (FAQ):
: Please follow the following steps to deploy the patch on the Pulse Connect Secure appliance:
Question 2: Will the device reboot after running the Integrity Tool?Answer
- Log in to the administrator console of the PCS appliance.
- Navigate to Maintenance >> Upgrade/Downgrade >> Under Install Service Package
- Click on Browse and Select the Integrity Tool. (Download the Tool from above Download Link)
- Click on Install.
- This process will take a few minutes and the appliance automatically gets rebooted.
- You can monitor the console access for the process.
: Yes, once you run the Integrity Tool, your device it will automatically get rebooted. Question 3: After running the Integrity Tool, how we can verify the results?Answer
: Once you run the Integrity Tool, the following upgrade page appears post running the tool.
- The tool will show messages on the upgrade screen whether there is any mismatch of hashes.
- The administrator can check Step 8 or Step 9 for any hash mismatched or newly detected file.
- Any detected files or mismatched files will be zipped and encrypted.
- The Admin Generated Snapshot can be downloaded from the System Snapshot.
Question 4: Admin Generated Snapshot generated post-reboot, however, my appliance was showing 0 Mis-matched files or Newly Detected files?Answer:
|Note: In PSA300 Appliance, the Integrity tool may pick multiple newly detected files. The engineering team is already aware of this issue and working on a fix. This is a false-positive scenario and only applicable to PSA300 Appliance.|
Yes, this is expected behavior. Post reboot, PCS generates the Admin Generated Snapshot.Question 5: We are using A/A or A/P Cluster, do we need to run Integrity Tool individually on each node?Answer:
Yes, we need to run the Integrity Tool individually on each node in the cluster scenario.Question 6: We are using A/A or A/P Cluster, do we break the cluster to run this tool?Answer:
No, there is no need to break the cluster to run the Integrity Tool on the appliance.Question 7: Do this tool repair any file during the reboot?Answer
: No, this tool does not repair any file during the reboot of the appliance.Question 8: While running the Integrity Tool, the following logs "System software upgrade failed. Installation timed out." are generated under admin logs?Answer:
This is expected behavior as this tool is only to verify the integrity of the appliance. An administrator could ignore this error message.Question 9: What is the MD5 and SHA Hash value of the PCS Integrity Tool?Answer:
You can download the Integrity Tool from the Download Center at https://my.pulsesecure.net
Please find the MD5 and SHA1 Hash values:MD5
: e4f5a04effeca5d228f448271ffe4990a574bc74Question 10: While running the Integrity Tool, the tool failed on the 3rd step "Step 3: Integrity checker is not supported for this PCS version. ... complete (0 seconds)"?Answer:
This is expected behavior as this tool is only to verify above mentioned Production PCS version / Build Numbers.Question 11: Can this tool be available for further releases?Answer:
Engineering Team is working on this tool for further improvements and planning to build an incremental tool for each release.Question 12: Do any of the client components upgraded with this Integrity Tool?Answer:
No, this tool does not upgrade the PCS version or any client component on the PCS appliance.Question 13: While running the Integrity Tool, we are seeing mismatched files or newly detected files.Answer:
Please download the Admin Generated Snapshot
post-reboot and created a Support Ticket
for further investigation.
For more information visit KB44764
).Question 14: How can I download the Admin Generated Snapshot from the PCS appliance.Answer:
To download the Admin Generated Snapshot,
please follow the below steps:
Question 15: When will the Integrity Checker Tool be built into the product?Answer:
- Navigate to TroubleShooting > System Snapshots
- Click on Admin generated snapshot link to save the file as pulsesecure-state-admin-scanner-<date>-<time>
We plan on integrating the tool into our next major release of R12 in Q3 this year. The standalone version will no longer be supported for versions R12 and above. WHAT CAN AN ADMIN DO FOR ADDITIONAL INDICATORS: Enabling Unauthenticated Request option
By default, these requests are not logged under the VPN appliance until we have the Unauthenticated Request option enabled (Under Log/Monitoring > User Access > Setting) which is off by default.
If this option is enabled, then the administrator can check the logs in the User Access logs.
Checking External Syslog Logs
Pulse Connect Secure can be configured to send Syslog information to an external Syslog server. Administrators should check the logs for unusual authentication attempts on the PCS appliance. Refer: KB22227
Lockdown administrative access to internal or management interfaces only. Disable admin access from the external port, which is the default setting.
Please refer following KB for more details: KB29805 - Pulse Connect Secure: Security configuration best practices Document History:
March 31, 2021 - Initial public release.
April 15, 2021 - New version of the ICT (Integrity Checker Tool) available for dot releases and older releases.
April 18, 2021 - New version of the ICT (Integrity Checker Tool) available for older releases.
June 11, 2021 - New version of the ICT (package-integrity-checker-13145.1
) available for download.