This article provides the steps to download and install the IDP Signature Database when the SRX/vSRX device does not have an Internet connection. This approach avoids the need for manually downloading each file. Instead, it downloads a single compressed file, which can be copied to the SRX/vSRX device.
Offline IDP update without a direct Internet connection
Important:
Instructions:
- Configure the SRX device with the following configuration:
set security idp traceoptions file idpd
set security idp traceoptions file size 20m
set security idp traceoptions flag all
set security idp traceoptions level all
commit
-
After committing the above configuration, run the following CLI command:
>request security idp security-package download full-update
This command is to get the correct download URL constructed in the idpd file. Since the SRX does not expect to have an Internet connection, the command will give a failure status in the CLI, which is expected.
-
After step 2, get the URL of the security package in the /var/log/idpd file:
Sample URL from the "/var/log/idpd" log:
Jul 19 05:58:37 [idp_secpack_download_handler]:
URL sent to get the SecPackage is:
https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=update&sn=AB3309AA0007&release=40.5
The above is a sample URL. To get the correct URL for your device, run the following:
>show log idpd | match SecPackage
-
Copy the above URL and change the "type" parameter value to "offline" as shown below:
https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=offline&sn=AB3309AA0007&release=40.5
-
Browse the URL using IE/Firefox/Chrome: It will download 'offline-update.tar.gz' file.
-
Upload the 'offline-update.tar.gz' file to the SRX device.
For example using SCP: scp offline-update.tar.gz root@device_name:/var/tmp
Customers can use winscp (or similar software) to copy from windows desktop to SRX.
-
Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/
.
-
Use the following command to unzip the offline sigpack file that already copied to the device:
CLI> request security idp security-package offline-download package-path /var/tmp/offline-update.tar.gz
Check the downloaded status:
CLI> request security idp security-package offline-download status
Sample output:
root@SRX-5400-r2007> request security idp security-package offline-download status
--------------------------------------------------------------------------
Done;Signature package offline download Successful
-
Once offline-download is completed, all the required files will be copied to the following folders automatically:
/var/db/idpd/sec-download/
/var/db/idpd/sec-download/sub-download
For SRX-Branch devices, if /var/db/idpd/sec-download/sub-download/SignatureUpdate.xml is not present, then copy it manually from /var/db/idpd/sec-download/:
-
Log in to shell: (>start shell)
-
cp /var/db/idpd/sec-download/SignatureUpdate.xml /var/db/idpd/sec-download/sub-download/
-
Install the signature pack:
Installation of the sigpack is similar to a normal sigpack installation. Run the following command to install the downloaded sigpack:
CLI> request security idp security-package install
Check the install status:
CLI> request security idp security-package install status
This completes the download and the install procedure of the signature database. To check the currently installed signature database:
>show security idp security-package-version
To install the policy templates off-line, perform the following steps:
-
All the required files are copied and unzipped using the above steps; they are installed the normal way.
Run the following command to install the policy templates:
CLI> request security idp security-package install policy-templates
Check the install status: cli> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
-
Check the policy template version using the following command:
CLI> show security idp security-package-version
For more details on installing template based IDP policies, refer to KB16490 - [J/SRX] How to use predefined policy templates in an IDP policy in SRX and J Series devices