Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

New Digital Certificates for Juniper Firewall running Deep Inspection (DI) Service (KB ID: KB10239)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB10239

Synopsis

Juniper Firewall devices running DI will require a one time manual update of the digital certificates in order to obtain DI signature file updates after Jan 29, 2008 OR upgrade the Juniper Firewall to ScreenOS 6.0.0r4 or 5.4.0r9.

Problem

Juniper Firewall devices (SSG, ISG, and NetScreen) that have the Deep Inspection (DI) feature enabled use a preinstalled digital certificate to authenticate to the Deep Inspection signature file update server.  In versions below ScreenOS 6.0.0r4 and ScreenOS 5.4.0r9, this certificate expired on January 29, 2008.  Without operator intervention, after expiration the firewall device will no longer be able to obtain signature file updates.  When trying to update the DI database the download will fail and the following error is displayed:   "Download failed.Error: Unable to est. TCP connection Attack download failed."


How does one determine if this applies to their firewall? 

If the firewall is running one of the following ScreenOS versions, then no action is required to update the digital certificates:

• ScreenOS 5.4.0r9 or later
• ScreenOS 6.0.0r4 or later
• ScreenOS 6.1.0r1 or later

If the ScreenOS is not updated to the above versions, check if the DI license key is loaded on the firewall:
If the DI license key is loaded, then the process in the Solution below should be followed.

 

Solution

A.  Upgrade the Juniper Firewall to ScreenOS 6.0.0r4 (or later).

B.  Upgrade the Juniper Firewall to ScreenOS 5.4.0r9 (or later).


C.  Perform the following steps:

1. Download, unzip, and extract the files in VeriSign_Certificates.zip. It contains two (2) certificate files: 
   
     VeriSign_Root.cer
     VeriSign_Intermediate.cer
   
   
2. Perform the installation instructions in the Product Support Notification (PSN):
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-11-005

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software
By Network Technology » Network Services » Security Services » Deep Inspection

Purpose

Licensing & Contracts

Related Articles

Related Links

Related Files