Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Space] Signature management using Security Director

0

0

Article ID: KB27825 KB Last Updated: 21 Mar 2019Version: 2.0
Summary:

This article explains how an attack signature/detector engine update is performed on SRX devices using Security Director.

Symptoms:

How are attack signature updates managed in Security Director?

Solution:

Signature update in SD is carried out in two phases:

  1. Downloading a signature database to Security Director (SD)

  2. Installing a signature database to security devices ( SRX )

Download a signature database to Security Director

  1. Navigate to Security Director > Administration > Signature Database. Choose the most recent signature database listed under the ‘Latest list of Signatures’ and select Download (Delta/Full) under Action column to download the signature database to SD. 

  2. A download confirmation window will pop up. Click 'Yes' and a job will be triggered.

  3. Click 'Update Summary' to view the details of the signatures in that specific signature database.

    Please refer figure to A below:

  4. View/Modify download settings (Security Director > Administration > Signature Database > Signature Download Settings)

    • To download the signature updates, by default the configured URL is https://signatures.juniper.net
    • SD allows configuring a Proxy server for download
    • SD allows scheduling of automatic SigDB updates from the settings shown below in Figure B:

    Alternatively, a signature DB download can be performed using an offline procedure as discussed in  KB27038 - [Junos Space] Offline IDP (IPS) Signature update procedure.

  5. Signature Parsing - Once the signature updates are downloaded (either offline or online), 2 jobs are run within Security Director, which take a significant amount of memory to parse the signatures and then clean up after parsing. The Install option does not start until these jobs are completed. You can view the latest IPS signature parse and cleanup job under SD > Monitor > Job Management soon after signature download.


Install the signature database to security devices (SRX)

Once a DB is downloaded to Security Director, it will show under Active Database on Space, the one shown in Figure A in red. Choose the active database and click “Install on device” under Action column.
This will open the Install windows as shown in Figure C, where a list of all devices with IPS license and/or App license are displayed. It also provides further details on the version of the IPS and Application signature database.


 

To check the version of Attack DB installed on the device, the two columns IPS License and App License show the IPS attack db and Application signature db installed on each device.


NOTES:
  1. During Signature DB installation, the signature database on the device is updated with the newly downloaded one if the installed one and the downloaded one are different in version.
  2. Also, if there is an IPS policy already configured and running, then the policy gets recompiled using the new attack database and pushed to data plane.

Special Case:

Updating the Signature package in a SRX cluster

If a cluster is managed from Security Director, a.k.a SD, both nodes in the SRX cluster need connectivity to SD to successfully download and install the IPS signature database. If the secondary node does not have connectivity to the SD via fxp0 and backup-router command, the attack database will not be updated on the secondary node. Make sure the secondary node has connectivity to SD via backup-router command.

Refer to KB15580 - [SRX] 'backup-router' command configuration on Chassis Cluster.

This is not what is observed when downloading and installing the signature update on security device CLI (SRX), wherein a signature DB is automatically synced between the nodes, from Junos OS 12.1 release or later.
 

Modification History:

2019-03-21: Updatedt screenshots and navigation path.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search