Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IDP attack update fails when upstream firewall restricts outbound access for IDP updates

0

0

Article ID: KB33153 KB Last Updated: 07 Nov 2018Version: 1.0
Summary:

An Intrusion Detection and Protection (IDP) attack update may fail if an upstream firewall is configured to restrict specific access to the IDP database at services.netscreen.com or signatures.juniper.net.

 

Symptoms:

Consider the topology where a firewall is placed in between the SRX IDP device and the IDP database:

SRX (IDP device) ======= 3rd Party Firewall ======= Internet ==== signatures.juniper.net
                                                                  services.netscreen.com

 

Cause:

If the upstream firewall is configured to allow access from the SRX device to only either signatures.juniper.net or services.netscreen.com, the update may fail, because the time to live (TTL) for signatures.juniper.net and services.netscreen.com are very aggressive. At the time that the firewall was configured to signatures.juniper.net or services.netscreen.com, the fully qualified domain name (FQDN) may have resolved to the correct IP address. However, when the FQDN TTL expires, the IP address is refreshed, and the resulting IP address may be different. This may cause the download of the IDP attack update to fail.

 

Solution:

Juniper Networks has reserved a specific FQDN that maps to a static IP address that is in turn mapped to the IDP database server. The FQDN for this static IP address is signatures-old.juniper.net, which will have to be configured as the target address on the SRX device for the attack update to succeed. Use the following configuration:

set security idp security-package url https://signatures-old.juniper.net/cgi-bin/index.cgi

In addition to the above, the upstream firewall will also have to be configured to be permitted to go to signatures-old.juniper.net.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search