Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Is the full set of DI signatures available for the NetScreen-5 Series in ScreenOS 5.2 and later?



Article ID: KB3275 KB Last Updated: 07 Jun 2010Version: 6.0
Beginning with ScreenOS 5.2, the DI functionality is limited to "critical" signatures on the Juniper NetScreen-5 Series products.
  • Deep inspection
  • Screen Settings
  • Upgrade from ScreenOS 5.0 or 5.1 to ScreenOS 5.2 and later
  • NetScreen-5XT
  • NetScreen-5GT
Symptoms & Errors:
  •  Memory Allocation Failure
  •  Attack DB failed to load. File is too large to load
  • Upon reboot, a message similar to the following is displayed during boot cycle:
     Initializing DI 1.1.0-ns
     Memory Allocation Failure: Size 17824
     TR Memory Allocation: 004817ec 004817ec 0046c200 00481084 004810c0 00097bb8 0009809c 00094c9c
     000950d0 000ada38 000ae770 000aec60 000c064c 000ac17c 003296e4 0032a160

Download the latest DI signature pack by entering the CLI command, exec attack db update. You will receive a reduced pack containing only critical signatures.

Beginning with ScreenOS 5.2 software,  Juniper introduced a number of new features and enhancements to AV, RADIUS and SYN Flood Protection.  However, in order to accommodate these features for NS-5XT and NS-5GT, Deep Inspection functionality  is limited to '"critical'" signatures only due to the given memory capacity available on the appliances.

Juniper believes this will still allow customers to take advantage of the new ScreenOS features important for basic firewall protection, without losing threat protection against the most prevalent application layer attacks.  Additionally, Juniper will continue to release Deep Inspection signature updates that are critical in nature to NS-5XT and NS-5GT customers with ScreenOS 5.2 and beyond.   
  • For NS-5XT, Only Critical Signature functionality began with ScreenOS 5.2.
  • For NS-5GT, Only Critical Signature functionality  began with ScreenOS 5.3. 
Customers remaining on the earlier version of ScreenOS,  can continue to receive the full DI signature set and associated updates with wider severity levels until product EOL.



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search