How to recover from database failures for Juniper SRX IDP?
1. Disable idpd process from the configurationÂ
[email protected]> edit
[email protected]# set system processes idp-policy disableÂ
[email protected]#Â delete security idpÂ
[email protected]# commit
2. Once the idpd process is disabled, go to initialize (prune current records).
secdb failures, execute the following:
[email protected]# exit
[email protected]> exit
[email protected]% rm /var/db/idpd/db/secdb* /var/db/idpd/db/rdm.taf
3. Now reboot the device (it will initialize the secdb database)Â
[email protected]% cliÂ
[email protected]> request system reboot
4. RE attack cache (DFA/PCRE cache) failures, execute the following:
Once the idpd process is disabled, we can go ahead to prune the database records
[email protected]# exit
[email protected]> exit
[email protected]# rm /var/db/idpd/db/dfa* /var/db/idpd/db/pcre*Â
[email protected]# rm /var/db/idpd/db/cache.dbd /var/db/idpd/db/rdm.taf
5. Now reboot the device (it will initialize the cache database) [email protected]# cli [email protected]> request system reboot
Note: For RE attack cache, users need not do anything (the cache will build-up on subsequent policy compilation(s)).
 6. After the device reboots, enable idpd processÂ
[email protected]% cliÂ
[email protected]> editÂ
[email protected]# delete system processes idp-policyÂ
[email protected]# commit
7. Now download the full-update of the security package and install it
Download:
[email protected]> request security idp security-package download full-update [email protected]> request security idp security-package download status
Once the download is complete, install it:
[email protected]> request security idp security-package install [email protected]> request security idp security-package install status
The device is recovered from secdb failure.
----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
The necessary steps for activating IDP are as follows:
- Install IDP license by issuing request system license add...
- Download IDP package by issuing request security idp security-package download
- Install IDP package by issuing request security idp security-package install
- Install IDP policy templates by issuing request security idp security-package install policy-templates
- Register the commit script that creates the IDP policies by issuing set system scripts commit file templates.xsl
- Set your preferred IDP policy as active, for instance by issuing set security idp active-policy Getting_Started
- Activate IDP on your policy by issuing set security policies from-zone trust to-zone untrust policy default-permit then permit application-services idp
No comments