Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to update IDP Signature Database off-line

1

0

Article ID: KB32399 KB Last Updated: 06 Mar 2020Version: 8.0
Summary:

This article provides the steps to download and install the IDP Signature Database when the SRX/vSRX device does not have an Internet connection. This approach avoids the need for manually downloading each file. Instead, it downloads a single compressed file, which can be copied to the SRX/vSRX device.

 

Symptoms:

Offline IDP update without a direct Internet connection

 

Solution:

Important:  


Instructions:

  1. Configure the SRX device with the following configuration:
set security idp traceoptions file idpd
set security idp traceoptions file size 20m
set security idp traceoptions flag all
set security idp traceoptions level all
commit
  1. After committing the above configuration, run the following CLI command:

>request security idp security-package download full-update 

This command is to get the correct download URL constructed in the idpd file. Since the SRX does not expect to have an Internet connection, the command will give a failure status in the CLI, which is expected.

  1. After step 2, get the URL of the security package in the /var/log/idpd file:

Sample URL from the "/var/log/idpd" log:

Jul 19 05:58:37 [idp_secpack_download_handler]: URL sent to get the SecPackage is:
 
https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=update&sn=AB3309AA0007&release=40.5

The above is a sample URL. To get the correct URL for your device, run the following:

>show log idpd | match SecPackage
  1. Copy the above URL and change the "type" parameter value to "offline" as shown below:

https://signatures.juniper.net/cgi-bin/index.cgi?device=srx3600&adv_dev_info=&feature=idp&os=12.3&build=48&dfa=hs&platform_version=12.1&detector=12.6.140170713&from=&to=latest&type=offline&sn=AB3309AA0007&release=40.5
  1. Browse the URL using IE/Firefox/Chrome:  It will download 'offline-update.tar.gz' file.

  2. Upload the 'offline-update.tar.gz' file to the SRX device.

For example using SCP: scp offline-update.tar.gz root@device_name:/var/tmp

Customers can use winscp (or similar software) to copy from windows desktop to SRX.

  1. Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/.

  2. Use the following command to unzip the offline sigpack file that already copied to the device:

CLI> request security idp security-package offline-download package-path /var/tmp/offline-update.tar.gz

Check the downloaded status:

CLI> request security idp security-package offline-download status

Sample output:

root@SRX-5400-r2007> request security idp security-package offline-download status
--------------------------------------------------------------------------
Done;Signature package offline download Successful
  1. Once offline-download is completed, all the required files will be copied to the following folders automatically:

/var/db/idpd/sec-download/
/var/db/idpd/sec-download/sub-download

For SRX-Branch devices, if /var/db/idpd/sec-download/sub-download/SignatureUpdate.xml is not present, then copy it manually from /var/db/idpd/sec-download/:

  1. Log in to shell:  (>start shell)

  2. cp /var/db/idpd/sec-download/SignatureUpdate.xml  /var/db/idpd/sec-download/sub-download/

  1. Install the signature pack:

Installation of the sigpack is similar to a normal sigpack installation. Run the following command to install the downloaded sigpack:

CLI> request security idp security-package install

Check the install status:

CLI> request security idp security-package install status

This completes the download and the install procedure of the signature database. To check the currently installed signature database:

>show security idp security-package-version

To install the policy templates off-line, perform the following steps:

  1. All the required files are copied and unzipped using the above steps; they are installed the normal way.

Run the following command to install the policy templates:

CLI> request security idp security-package install policy-templates

Check the install status: cli> request security idp security-package install status

Done;policy-templates has been successfully updated into internal repository

(=>/var/db/scripts/commit/templates.xsl)!

  1. Check the policy template version using the following command:

CLI> show security idp security-package-version

For more details on installing template based IDP policies, refer to KB16490 - [J/SRX] How to use predefined policy templates in an IDP policy in SRX and J Series devices

 

Modification History:
  • 2020-03-06: Removed a non-needed step that could confusion on expected actions

  • 2018-01-08: Added notes in the bottom of the solution section regarding Junos versions before and after 12.3x48.

  • 2018-03-16: Added symptom and moved important note to the beginning of solution.

  • 2019-04-13: Included vSRX product.

  • 2019-05-05: Added point 7 i.e.: "Before following the offline update method in cluster please delete the files on node 1 from dir /var/db/idpd/sec-download/"

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search