Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[IDP] Data Collection Checklist - Logs/data to collect for troubleshooting IDP on IDP Series, SRX Series, and ISG Series

0

0
Article ID: KB27231 KB Last Updated: 04 Mar 2017Version: 2.0 Summary:

This document lists what information should be collected when there is a problem on one of the following Juniper devices running IDP (Intrusion Detection and Prevention):

  • IDP Series
  • SRX Series running IDP
  • ISG Series running IDP


Symptoms:

What information should I collect to assist in troubleshooting prior to opening a case?

The goal of this document is to reduce the time spent on initial data collection and reduce time to resolve by providing a comprehensive list of what to collect or gather to troubleshoot an issue.



Cause:

Solution:

Collect the following data for your device.  Either attach the data to your case or securely transfer the data using these instructions: KB23337 - How to upload large files to a JTAC Case


IDP Series - IDP75, IDP250, IDP800, or IDP8200:

tech-support -
This will pull the configuration, recent logs, stats, etc.

Core files -
Check the /var/idp/device/corefiles directory for the presence of files. If core files are present, then collect those.

Entire logs directory -
As the tech-support only grabs recent logs, if the problem has been occuring for a period of time, you may need to get all the logs. Get them as follows:
cd /var/idp/device/sysinfo
tar -cf logs_archive logs

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction


SRX Series running IDP:

request support information | no-more -
Log your SSH session and enter this in operational mode at the Junos CLI to pull the configuration and statistics from the time it was requested.

show system core-dumps -
Enter this command in operational mode at the Junos CLI to see if core dumps were generated. If core dumps are present, then collect those.

Entire logs directory -
The SRX writes and archives many logs, it is good to have these logs. Archive the logs as follows from the CLI:
root@host> start shell
root@host% cd /var/log
root@host% tar -cf varlogs.tar *

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction



ISG1000 or ISG2000 running IDP:

get tech -
This is the equivalent of the RSI on the SRX for the ISG. Log your SSH session and issue this and the next command.

get sm-ctx tech -
This is the tech-support file for the IDP security modules

Core files -
Enter exec sm 3 ksh "ls -l /idp/log to look for .core files. To TFTP the core files to a TFTP server, enter the following command:
# exec sm <#> save tftp <tftp-ip> <filename>     from /idp/log/engine.core

Logs -
In the event of a policy push failure, etc there may be some useful information in sloginfo. Enter the following command after enabling SSH session logging:
# exec sm # ksh "sloginfo
For more information, see KB10738 - Troubleshooting ISG/IDP policy push failures.

Packet captures (pcaps) -
If relevant, get any necessary pcaps for traffic reproduction


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search