Juniper Firewall devices running DI will require a one time manual update of the digital certificates in order to obtain DI signature file updates after Jan 29, 2008 OR upgrade the Juniper Firewall to ScreenOS 6.0.0r4 or 5.4.0r9.

Juniper Firewall devices (SSG, ISG, and NetScreen) that have the Deep Inspection (DI) feature enabled use a preinstalled digital certificate to authenticate to the Deep Inspection signature file update server.  In versions below ScreenOS 6.0.0r4 and ScreenOS 5.4.0r9, this certificate expired on January 29, 2008.  Without operator intervention, after expiration the firewall device will no longer be able to obtain signature file updates.  When trying to update the DI database the download will fail and the following error is displayed:   "Download failed.Error: Unable to est. TCP connection Attack download failed."


How does one determine if this applies to their firewall? 

If the firewall is running one of the following ScreenOS versions, then no action is required to update the digital certificates:

• ScreenOS 5.4.0r9 or later
• ScreenOS 6.0.0r4 or later
• ScreenOS 6.1.0r1 or later

If the ScreenOS is not updated to the above versions, check if the DI license key is loaded on the firewall:
If the DI license key is loaded, then the process in the Solution below should be followed.

 

A.  Upgrade the Juniper Firewall to ScreenOS 6.0.0r4 (or later).


B.  Upgrade the Juniper Firewall to ScreenOS 5.4.0r9 (or later).


C.  Perform the following steps:

1. Download, unzip, and extract the files in VeriSign_Certificates.zip. It contains two (2) certificate files: 
   
     VeriSign_Root.cer
     VeriSign_Intermediate.cer
   
   
2. Perform the installation instructions in the Product Support Notification (PSN):
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-11-005

Licensing & Contracts