Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why does NSM update High End SRX-IDP fail with packet-log error?

0

0

Article ID: KB27598 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:
This article addresses the NSM update High End SRX-IDP failing.

Symptoms:
NSM update High End SRX-IDP fail. The same error will appear in CLI as "packet-log" when committing the update.

NSM update fail.

Error Code:
Error Text:
Update fails UpdateDevice Results
sanityCheckCmd Success.
lock Success.
GenerateEditConfig Success.
validate Success.
confirmedCommit Failed .
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/11.4R6/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<rpc-error>
<error-severity>error</error-severity>
<error-path>[edit security idp idp-policy DC6_DMZ_SRX01 rulebase-ips rule 1 then notification]</error-path>
<error-info>
<bad-element>packet-log</bad-element>
</error-info>
<error-message>mgd: when pcap is enabled then end point details should also be configured</error-message>
</rpc-error>
<rpc-error>
<error-severity>error</error-severity>
<error-message>
commit failed: (statements constraint check failed)
</error-message>
</rpc-error>
</rpc-reply>


unlock Success.
Error Details:
Logs:
<configuration>
<security>
<idp>
<idp-policy>
<name>DC6_DMZ_SRX01</name>
<rulebase-ips>
<rule>
<name>1</name>
<match>
<attacks>
<custom-attack-groups>MS13-020 Vul in OLE Automation Could Allow RCE (2802968)</custom-attack-groups>
<predefined-attacks operation="delete">NFS:MS-WINDOWS-NFS-NULL-DOS</predefined-attacks>
</attacks>
</match>
<then>
<notification operation="create">
<log-attacks>
<alert />
</log-attacks>
<packet-log>
<pre-attack>10</pre-attack>
<post-attack>20</post-attack>
<post-attack-timeout>1</post-attack-timeout>
</packet-log>
</notification>
</then>
</rule>
<rule operation="delete">
<name>2</name>
</rule>
</rulebase-ips>
</idp-policy>
<custom-attack-group operation="delete">
<name>Vul in Win Remote Desktop Protocol (RDP) Brute Force Attempt</name>
</custom-attack-group>
<custom-attack-group operation="delete">
<name>Vul in Win Shell Could Allow RCE (2286198)</name>
</custom-attack-group>
<custom-attack-group operation="create">
<name>MS13-020 Vul in OLE Automation Could Allow RCE (2802968)</name>
<group-members>HTTP:STC:OLE-AUTO-RCE</group-members>
</custom-attack-group>
</idp>
</security>
</configuration>


Using CLI:
root@junosdut# commit
[edit security idp idp-policy junosdust rulebase-ips rule 1 then notification]
'packet-log'
when pcap is enabled then end point details should also be configured
error: commit failed: (statements constraint check failed)

Cause:

Solution:
This issue is happening due to the missing of following mandatory configuration in the High end srx-idp device:
  1. set security idp sensor-configuration packet-log source-address <srx-ip>
  2. set security idp sensor-configuration packet-log host <syslog server>
  3. set security idp sensor-configuration packet-log host port 514
To set the 'packet Log' data we need to configure the above CLIs in High end SRX-IDP devices and then import the device.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search