Enable Traceoption and manually update security update on Juniper JunOS SRX - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, June 14, 2013

Enable Traceoption and manually update security update on Juniper JunOS SRX

In our environment, there was having issue to use NSM push security update to one pair of Juniper SRX 240. NSM is the only method to get update from Internet and push those updates to SRX. Most of SRX are fine working with NSM. Occasionally pushing from NSM failed with following message:

request security idp load detector /var/db/idpd/nsm-download/libidp-detector.so.gz:
  Attack Update took too long, NSM giving up after 303 secs.
Device Status Received by NSM :   Done;AI installation failed! Attack DB update failed!
Install application package version 2270 failed.
AI compilation has failed.

After checked device has enough space to hold those updates, we tried following procedures to fix this issue:

To enable trace-options:
# set security idp trace-options file idp-trace size 100M
# set security idp trace-options flag all
# set security idp trace-options level all
# commit

+ Issues the security-package install command:
> request security idp security-package install
Check the status of this command:
> request security idp security-package install status
Once this fails, you can disable the trace-options:
# deactivate security idp trace-options
# commit

+ These logs would be captured in the file /var/log/idp-trace

After update NSM attack database, we tried push again and this time, it is successful:


request security idp security-package install status:
  Done;Attack DB update : successful - [UpdateNumber=2272,ExportDate=Wed Jun 12 18:23:00 2013 UTC,Detector=12.6.160130325]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : successful

No comments:

Post a Comment