Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

New Digital Certificates for Juniper Firewall running Deep Inspection (DI) Service

0

0

Article ID: KB10239 KB Last Updated: 11 Aug 2010Version: 9.0
Summary:
Juniper Firewall devices running DI will require a one time manual update of the digital certificates in order to obtain DI signature file updates after Jan 29, 2008 OR upgrade the Juniper Firewall to ScreenOS 6.0.0r4 or 5.4.0r9.
Symptoms:
Juniper Firewall devices (SSG, ISG, and NetScreen) that have the Deep Inspection (DI) feature enabled use a preinstalled digital certificate to authenticate to the Deep Inspection signature file update server.  In versions below ScreenOS 6.0.0r4 and ScreenOS 5.4.0r9, this certificate expired on January 29, 2008.  Without operator intervention, after expiration the firewall device will no longer be able to obtain signature file updates.  When trying to update the DI database the download will fail and the following error is displayed:   "Download failed.Error: Unable to est. TCP connection Attack download failed."


How does one determine if this applies to their firewall? 

If the firewall is running one of the following ScreenOS versions, then no action is required to update the digital certificates:
  • ScreenOS 5.4.0r9 or later
  • ScreenOS 6.0.0r4 or later
  • ScreenOS 6.1.0r1 or later
If the ScreenOS is not updated to the above versions, check if the DI license key is loaded on the firewall:
- From the CLI, enter the command 'get license' and look for the license key named 'di_db_key'
- From the WebUI, select Configuration > Update > ScreenOS/Keys, and look for the license key named 'di_db_key' in the License Information box.
If the DI license key is loaded, then the process in the Solution below should be followed.

 

Solution:
A.  Upgrade the Juniper Firewall to ScreenOS 6.0.0r4 (or later).

or

B.  Upgrade the Juniper Firewall to ScreenOS 5.4.0r9 (or later).

or

C.  Perform the following steps:
  1. Download, unzip, and extract the files in VeriSign_Certificates.zip. It contains two (2) certificate files: 

      VeriSign_Root.cer
      VeriSign_Intermediate.cer
  2. Perform the installation instructions in the Product Support Notification (PSN):
  3. https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-11-005


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search