Comments

Latest Posts

How to recover from database failures for Juniper SRX IDP?



1. Disable idpd process from the configuration 

[email protected]# set system processes idp-policy disable 
[email protected]# delete security idp 

2. Once the idpd process is disabled, go to initialize (prune current records).

secdb failures, execute the following:
[email protected]% rm /var/db/idpd/db/secdb* /var/db/idpd/db/rdm.taf

3. Now reboot the device (it will initialize the secdb database) 
[email protected]> request system reboot

4. RE attack cache (DFA/PCRE cache) failures, execute the following:
Once the idpd process is disabled, we can go ahead to prune the database records

[email protected]# rm /var/db/idpd/db/dfa* /var/db/idpd/db/pcre* 
[email protected]# rm /var/db/idpd/db/cache.dbd /var/db/idpd/db/rdm.taf

5. Now reboot the device (it will initialize the cache database) [email protected]# cli [email protected]> request system reboot

Note: For RE attack cache, users need not do anything (the cache will build-up on subsequent policy compilation(s)).

 6. After the device reboots, enable idpd process 
[email protected]# delete system processes idp-policy 

7. Now download the full-update of the security package and install it

Download:
[email protected]> request security idp security-package download full-update [email protected]> request security idp security-package download status

Once the download is complete, install it:
[email protected]> request security idp security-package install [email protected]> request security idp security-package install status

The device is recovered from secdb failure.

----------------------------------------------------------------------------------------------------------------------------------

The necessary steps for activating IDP are as follows:

  1. Install IDP license by issuing request system license add...
  2. Download IDP package by issuing request security idp security-package download
  3. Install IDP package by issuing request security idp security-package install
  4. Install IDP policy templates by issuing request security idp security-package install policy-templates
  5. Register the commit script that creates the IDP policies by issuing set system scripts commit file templates.xsl
  6. Set your preferred IDP policy as active, for instance by issuing set security idp active-policy Getting_Started
  7. Activate IDP on your policy by issuing set security policies from-zone trust to-zone untrust policy default-permit then permit application-services idp

No comments