Symptoms
From Space, if I make a new change on firewall policy and push it to gateway, I will get following errors.
It says "No rulebase configured for active policy", which is mis-leading when you first time saw this message. IDP policy usually is fine here.
[Error] Configuration update failed. Severity : error            At : [edit security idp] Message : No rulebase configured for active policy   Details :Âidp-policy Space-IPS-Policy  Severity : error Message : configuration check-out failedÂ
To view the full error message,Click here<commit-results>
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<source-daemon> idpd </source-daemon>
<error-path> [edit security idp] </error-path> <error-info>
<bad-element> idp-policy Space-IPS-Policy </bad-element> </error-info>
<error-message> No rulebase configured for active policy </error-message> </rpc-error>
<rpc-error>
<error-type>protocol</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity>
<error-message> configuration check-out failed </error-message>
</rpc-error>
</commit-results>
From Command line:
{primary:node1}[edit] testuser@fw-test1-2# {primary:node1}[edit] testuser@fw-test1-2# commit [edit security idp] 'idp-policy Space-IPS-Policy' No rulebase configured for active policy error: configuration check-out failed {primary:node1}[edit] testuser@fw-test1-2#
Based on kb26964, it is IDP error message, and it is relating to IDP Signature Database.
In this case, for somehow both nodes do not have same attack database version.
root@fw-test1-1> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A {secondary:node0}
Solutions
1. Disable IDP and install policy.Â
It works from command line but it is not ideal solution we want. If you got limited time to implement your change, it will help.Â
root@fw-test-2# deactivate security idp {primary:node1}[edit] root@fw-test-2# commit check node1: configuration check succeeds node0: configuration check succeeds
2. Reinstall Attack DB
2.1 Direct Install from Internet
If your device has internet access, you will just need to delete the attack DB from SRX and reinstall it.
[edit] root# run start shell user root ##Type the root password and delele the files:
root% rm -rf /var/db/idpd/sec-download/*
##Install either a previous version of the attack DB or the latest version:
root> request security idp security-package download version 2232 full-update root> request security idp security-package install
##Set the active policy as Recommended and then commit the configuration; it should be successful this time.
root# set security idp active-policy Recommended root# commit
##Check the policy commit status: root # run show security idp policy-commit-status
2.2 Install from JunOS Space
Delete all DB files, and push the latest Attack DB from Space again.
2.3 Copy from another node
in my case, since node 0 has latest IDP attack DB, just copy it over from Node 0 to node 1 to make sure both have same version of attack DB, the issue can be resolved.
root@fw-test-1> show security idp security-package-version
node0:
--------------------------------------------------------------------------
Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
Detector version :12.6.160170603
Policy template version :N/A
node1:
--------------------------------------------------------------------------
Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC)
Detector version :12.6.160170603
Policy template version :N/A
root@fw-test-1% rcp -r -T /var/db/idpd/* node1:/var/db/idpd/ root@fw-test-1% root@fw-test-1% root@fw-test-1% cli {secondary:node0} root@fw-test-1> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A
This method can fix most of IDP attack DB issue if one of your cluster member has a right version on it.
No comments:
Post a Comment