This article provides the steps to download and install the IDP Signature Database when the SRX/vSRX device does not have an Internet connection. This approach avoids the need for manually downloading each file. Instead, it downloads a single compressed file, which can be copied to the SRX/vSRX device.

 

Offline IDP update without a direct Internet connection

 

---

Important:  

• The instructions in this article apply to Junos OS release 12.3X48 and later. The off-line download command, request security idp security-package offline-download, available in Junos OS 12.3X48 and later is used.

• For Junos versions prior to Junos OS release 12.3X47, refer to TN83 - How to perform offline IDP and Application signature database update in SRX to copy and install the sigpack. However, to download the files, use steps 4, 5 and 6 explained below.

---

Instructions:

1. Configure the SRX device with the following configuration:

set security idp traceoptions file idpd
set security idp traceoptions file size 20m
set security idp traceoptions flag all
set security idp traceoptions level all
commit

2. After committing the above configuration, run the following CLI command:

>request security idp security-package download full-update 

This command is to get the correct download URL constructed in the idpd file. Since the SRX does not expect to have an Internet connection, the command will give a failure status in the CLI, which is expected.

3. After step 2, get the URL of the security package in the /var/log/idpd file:

Sample URL from the "/var/log/idpd" log:

Jul 19 05:58:37 [idp_secpack_download_handler]: URL sent to get the SecPackage is:
 
https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=update&sn=AB3309AA0007&release=40.5

The above is a sample URL. To get the correct URL for your device, run the following:

>show log idpd | match SecPackage

4. Copy the above URL and change the "type" parameter value to "offline" as shown below:

https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=offline&sn=AB3309AA0007&release=40.5

5. Browse the URL using IE/Firefox/Chrome:  It will download 'offline-update.tar.gz' file.

6. Upload the 'offline-update.tar.gz' file to the SRX device.

For example using SCP: scp offline-update.tar.gz root@device_name:/var/tmp

Customers can use winscp (or similar software) to copy from windows desktop to SRX.

7. Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/.

8. Use the following command to unzip the offline sigpack file that already copied to the device:

CLI> request security idp security-package offline-download package-path /var/tmp/offline-update.tar.gz

Check the downloaded status:

CLI> request security idp security-package offline-download status

Sample output:

root@SRX-5400-r2007> request security idp security-package offline-download status
--------------------------------------------------------------------------
Done;Signature package offline download Successful

9. Once offline-download is completed, all the required files will be copied to the following folders automatically:

/var/db/idpd/sec-download/
/var/db/idpd/sec-download/sub-download

For SRX-Branch devices, if /var/db/idpd/sec-download/sub-download/SignatureUpdate.xml is not present, then copy it manually from /var/db/idpd/sec-download/:

1. Log in to shell:  (>start shell)

2. cp /var/db/idpd/sec-download/SignatureUpdate.xml  /var/db/idpd/sec-download/sub-download/

10. Install the signature pack:

Installation of the sigpack is similar to a normal sigpack installation. Run the following command to install the downloaded sigpack:

CLI> request security idp security-package install

Check the install status:

CLI> request security idp security-package install status

This completes the download and the install procedure of the signature database. To check the currently installed signature database:

>show security idp security-package-version

To install the policy templates off-line, perform the following steps:

1. All the required files are copied and unzipped using the above steps; they are installed the normal way.

Run the following command to install the policy templates:

CLI> request security idp security-package install policy-templates

Check the install status: cli> request security idp security-package install status

Done;policy-templates has been successfully updated into internal repository

(=>/var/db/scripts/commit/templates.xsl)!

2. Check the policy template version using the following command:

CLI> show security idp security-package-version

For more details on installing template based IDP policies, refer to KB16490 - [J/SRX] How to use predefined policy templates in an IDP policy in SRX and J Series devices

 

• 2020-03-06: Removed a non-needed step that could confusion on expected actions

• 2018-01-08: Added notes in the bottom of the solution section regarding Junos versions before and after 12.3x48.

• 2018-03-16: Added symptom and moved important note to the beginning of solution.

• 2019-04-13: Included vSRX product.

• 2019-05-05: Added point 7 i.e.: "Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/"