Knowledge Search


×
 

UTM (Unified Threat Management) Basic Troubleshooting Checklist for SRX

  [KB25680] Show Article Properties


Summary:

This article lists the common mistakes while using the UTM (Unified Threat Management) feature on the Branch SRX series platforms.


Symptoms:

Symptoms:

  • Warning messages are reported when trying to configure UTM
  • Warning messages about an expired trial license are reported
  • Cannot download database updates
  • Traffic is not hitting the expected UTM policy


For UTM configuration help, refer to the following articles:

Also, for additional configuration help and examples, refer to the Technical Documentation: UTM (Unified Threat Management)

After configuration, if it is not working, refer to the checklist of configuration issues below.

Cause:

Solution:

Common UTM issues 

The common UTM configuration errors found in JTAC are as follows. Step thru this checklist to confirm your setup and configuration:


Step 1. Confirm feature is supported on your SRX device.

Refer to the table of UTM features supported on SRX Series and J Series devices for your version of Junos:  
Junos 12.1 
Junos 11.4 
Junos 10.4 

Note:  UTM features will only run on high memory (highmem) devices. It will not run on lowmem devices.  Refer to KB15413 on how to tell if your device is highmem.


Step 2. Confirm licenses.

These UTM features require a subscription license: Antispam, Antivirus, and Web filtering. 

You may have forgotten to load the license or the trial license may have expired.

Run the following command to verify the licenses are installed:

 user@SRX> show system license 

For information on how to activate, install, and verify the subscription license, refer to KB16675 - SRX Getting Started - Install license for Antivirus, Web Filter, IDP, or Antispam.


Step 3. Confirm DNS configuration.

Run the following command to confirm that DNS is configured:

user@SRX> show system name-server


If DNS is not configured, there may be issues with downloading pattern updates.

For information on how to configure DNS, refer to KB15656 SRX Getting Started - SRX Getting Started - Configure DNS.


Step 4. Confirm NTP configuration.

Run the following command to confirm NTP is configured:

user@SRX# show system ntp


If NTP is not configured, this may affect the UTM features that have a subscription; there may be issues with downloading pattern updates.

Also, if NTP is not configured, there may be an issue with scheduling Web Filtering based on time or day of week; see KB19467.

For information on how to configure and verify NTP, refer to KB15756 SRX Getting Started - Configure Time and NTP Client.


Step 5. Confirm the UTM policy is applied to the appropriate Security Policy.

Note: It is mandatory to apply a UTM policy to Security Polices in order to use the UTM features. Otherwise, traffic will not hit the expected UTM policy.

The UTM policy is always applied to transit traffic (in the Security Policy hierarchy) as follows:

 user@SRX# set security policy from-zone untrust to-zone trust policy test then permit application-services utm-policy <policy name>

The above command illustrates applying a specific utm-policy for a security policy from the untrust to the trust zone. As a consequence of this command, all the traffic directed from the untrust to the trust zone would also be examined against the utm-policy.



Other UTM issues


Related Links: