Wednesday, November 15, 2017

Juniper SRX Commnit Error "No rulebase configured for active policy"

I have been dealing with Juniper SRX IDP error many times when NSM was been used. Mostly those errors are caused by corrupted signature DB or not enough storage space on SRX itself. Here is the latest one I encountered.

Symptoms
From Space, if I make a new change on firewall policy and push it to gateway, I will get following errors.


It says "No rulebase configured for active policy", which is mis-leading when you first time saw this message. IDP policy usually is fine here.

[Error] Configuration update failed. 

Severity : error            At : [edit security idp] Message : No rulebase configured for active policy 
  Details : idp-policy Space-IPS-Policy Severity : error Message : configuration check-out failed 



To view the full error message,Click here
<commit-results>
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<source-daemon> idpd </source-daemon>
<error-path> [edit security idp] </error-path> <error-info>
<bad-element> idp-policy Space-IPS-Policy </bad-element> </error-info>
<error-message> No rulebase configured for active policy </error-message> </rpc-error>
<rpc-error>
<error-type>protocol</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity>
<error-message> configuration check-out failed </error-message>
</rpc-error>
</commit-results>


From Command line:

{primary:node1}[edit]
testuser@fw-test1-2# 

{primary:node1}[edit]
testuser@fw-test1-2# commit 
[edit security idp]
  'idp-policy Space-IPS-Policy'
    No rulebase configured for active policy
error: configuration check-out failed

{primary:node1}[edit]
testuser@fw-test1-2# 


Based on kb26964, it is IDP error message, and it is relating to IDP Signature Database.

In this case, for somehow both nodes do not have same attack database version.
root@fw-test1-1> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3004(Thu Nov  9 12:12:06 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

{secondary:node0}


Solutions

1. Disable IDP and install policy. 
It works from command line but it is not ideal solution we want. If you got limited time to implement your change, it will help. 

root@fw-test-2# deactivate security idp 

{primary:node1}[edit]
root@fw-test-2# commit check 
node1: 
configuration check succeeds
node0: 
configuration check succeeds




2. Reinstall Attack DB
2.1 Direct Install from Internet
If your device has internet access, you will just need to delete the attack DB from SRX and reinstall it.
[edit]
root# run start shell user root
##Type the root password and delele the files:
root% rm -rf /var/db/idpd/sec-download/*
##Install either a previous version of the attack DB or the latest version:
root> request security idp security-package download version 2232 full-update

root> request security idp security-package install
##Set the active policy as Recommended and then commit the configuration; it should be successful this time. 
root# set security idp active-policy Recommended
root# commit
##Check the policy commit status:
root # run show security idp policy-commit-status



2.2 Install from JunOS Space
Delete all DB files, and push the latest Attack DB from Space again.


2.3 Copy from another node
in my case, since node 0 has latest IDP attack DB, just copy it over from Node 0 to node 1 to make sure both have same version of attack DB, the issue can be resolved.


root@fw-test-1> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3004(Thu Nov  9 12:12:06 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

root@fw-test-1% rcp -r -T /var/db/idpd/* node1:/var/db/idpd/


root@fw-test-1%
root@fw-test-1%
root@fw-test-1% cli
{secondary:node0}
root@fw-test-1> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A



This method can fix most of IDP attack DB issue if one of your cluster member has a right version on it.



No comments:

Post a Comment

NetSec Youtube Videos