Knowledge Search


×
 

[SRX] How to update IDP Signature Database off-line

  [KB32399] Show Article Properties


Summary:

This article provides the steps to download and install the IDP Signature Database when the SRX/vSRX does not have an Internet connection. This approach avoids the need of manually downloading each file. Instead, it downloads a single compressed file which can be copied to the SRX/vSRX.

Symptoms:
  • Offline IDP update without a direct Internet connection

Solution:

Important:  


Instructions:

  1. Configure the SRX device with following configuration:
    set security idp traceoptions file idpd
    set security idp traceoptions file size 20m
    set security idp traceoptions flag all
    set security idp traceoptions level all
    commit
  2. After committing the above configuration, run the following CLI command:
    >request security idp security-package download full-update
     
    This command is to get the correct download URL constructed in the idpd file. Since the SRX does not expect to have an Internet connection, the command will give a failure status in the CLI, which is expected.
  3. After step 2, get the URL of the security package in the /var/log/idpd file:
    Sample URL from the "/var/log/idpd" log:
    Jul 19 05:58:37 [idp_secpack_download_handler]: URL sent to get the SecPackage is:
     
    https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=update&sn=AB3309AA0007&release=40.5

    The above is a sample URL. To get the correct URL for your device, run the following:

    >show log idpd | match SecPackage
  4. Copy the above URL and change the "type" parameter value to "offline" as shown below:
    https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=offline&sn=AB3309AA0007&release=40.5
  5. Browse the URL using IE/Firefox/Chrome:  It will download 'offline-update.tar.gz' file.
  6. Upload the 'offline-update.tar.gz' file to the SRX device.
    For example using SCP: scp offline-update.tar.gz root@device_name:/var/tmp
    Customers can use winscp (or similar software) to copy from windows desktop to SRX.
  7. Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/
  8. Unzip the downloaded offline sigpack to the target folders.
  9. Use the following command to unzip the offline sigpack file that already copied to the device:
    CLI> request security idp security-package offline-download package-path /var/tmp/offline-update.tar.gz

    Check the downloaded status:

    CLI> request security idp security-package offline-download status
          Sample output:
           root@SRX-5400-r2007> request security idp security-package offline-download status
           --------------------------------------------------------------------------
           Done;Signature package offline download Successful
  10. Once offline-download is completed, all the required files will be copied to the following folders automatically:
    /var/db/idpd/sec-download/
    /var/db/idpd/sec-download/sub-download

    For SRX-Branch devices, if /var/db/idpd/sec-download/sub-download/SignatureUpdate.xml is not present, then copy it manually from /var/db/idpd/sec-download/:
    1. login to shell:  (>start shell)
    2. cp /var/db/idpd/sec-download/SignatureUpdate.xml  /var/db/idpd/sec-download/sub-download/
  11. Install the signature pack:
    Installation of the sigpack is similar to a normal sigpack installation. Run the following command to install the downloaded sigpack:
    CLI> request security idp security-package install

    Check the install status:
    CLI> request security idp security-package install status

    This completes the download and the install procedure of the signature database. To check the currently installed signature database:
    >show security idp security-package-version



To install the policy templates off-line, perform the following steps:

  1. All the required files are copied and unzipped using the above steps; they are installed the normal way.

    Run the following command to install the policy templates:
    CLI> request security idp security-package install policy-templates
     

    Check the install status:

    cli> request security idp security-package install status
    Done;policy-templates has been successfully updated into internal repository
    (=>/var/db/scripts/commit/templates.xsl)!

     
  2. Check the policy template version using the following command:

    CLI> show security idp security-package-version


For more details on installing template based IDP policies, refer to KB16490 - [J/SRX] How to use predefined policy templates in an IDP policy in SRX and J Series devices


 
Modification History:

2018-01-08: Added notes in the bottom of the solution section regarding Junos versions before and after 12.3x48.
2018-03-16: Added symptom and moved important note to the beginning of solution.
2019-04-13: Included vSRX product.
2019-05-05: Added point 7 i.e.: "Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/"

Related Links: