This article addresses the NSM update High End SRX-IDP failing.
NSM update High End SRX-IDP fail. The same error will appear in CLI as "packet-log" when committing the update.
NSM update fail.
Error Code:
Error Text:
Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Success.
validate Success.
confirmedCommit Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/11.4R6/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-severity>error</error-severity>
<error-path>[edit security idp idp-policy DC6_DMZ_SRX01 rulebase-ips rule 1 then notification]</error-path>
<error-info>
<bad-element>packet-log</bad-element>
</error-info>
<error-message>mgd: when pcap is enabled then end point details should also be configured</error-message>
</rpc-error>
<rpc-error>
<error-severity>error</error-severity>
<error-message>
commit failed: (statements constraint check failed)
</error-message>
</rpc-error>
</rpc-reply>
unlock Success.
Error Details:
Logs:
<configuration>
<security>
<idp>
<idp-policy>
<name>DC6_DMZ_SRX01</name>
<rulebase-ips>
<rule>
<name>1</name>
<match>
<attacks>
<custom-attack-groups>MS13-020 Vul in OLE Automation Could Allow RCE (2802968)</custom-attack-groups>
<predefined-attacks operation="delete">NFS:MS-WINDOWS-NFS-NULL-DOS</predefined-attacks>
</attacks>
</match>
<then>
<notification operation="create">
<log-attacks>
<alert />
</log-attacks>
<packet-log>
<pre-attack>10</pre-attack>
<post-attack>20</post-attack>
<post-attack-timeout>1</post-attack-timeout>
</packet-log>
</notification>
</then>
</rule>
<rule operation="delete">
<name>2</name>
</rule>
</rulebase-ips>
</idp-policy>
<custom-attack-group operation="delete">
<name>Vul in Win Remote Desktop Protocol (RDP) Brute Force Attempt</name>
</custom-attack-group>
<custom-attack-group operation="delete">
<name>Vul in Win Shell Could Allow RCE (2286198)</name>
</custom-attack-group>
<custom-attack-group operation="create">
<name>MS13-020 Vul in OLE Automation Could Allow RCE (2802968)</name>
<group-members>HTTP:STC:OLE-AUTO-RCE</group-members>
</custom-attack-group>
</idp>
</security>
</configuration>
Using CLI:
root@junosdut# commit
[edit security idp idp-policy junosdust rulebase-ips rule 1 then notification]
'packet-log'
when pcap is enabled then end point details should also be configured
error: commit failed: (statements constraint check failed)
This issue is happening due to the missing of following mandatory configuration in the High end srx-idp device:
- set security idp sensor-configuration packet-log source-address <srx-ip>
- set security idp sensor-configuration packet-log host <syslog server>
- set security idp sensor-configuration packet-log host port 514
To set the 'packet Log' data we need to configure the above CLIs in High end SRX-IDP devices and then import the device.