Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Determining when an IDP policy has finished compiling

0

0
Article ID: KB33447 KB Last Updated: 14 Dec 2018Version: 1.0 Summary:

This article explains how to determine whether an IDP policy on an SRX device has finished compiling, and is now processing traffic.

 

Symptoms:

Compiling an IDP policy can take a while, depending on the processing power of the SRX device and the IDP policy size. Given these factors, customers may be concerned that they do not see the new policy inspecting traffic. 

 

Cause:

If the show security idp status command is issued immediately after changing the IDP policy, the active policy appears to be unchanged. This is because the IDP policy compilation is not complete yet.

 

Solution:

To determine whether the IDP policy has finished compiling, the steps must be performed in the following order:​

  1. Change the policy in the configuration.

  2. Use show|compare to verify the configuration change.

  3. Issue show security idp status to check whether the old policy has loaded before committing. 

root@SRX550# set security idp active-policy Space-IPS-Policy
[edit]
root@SRX550# show | compare
[edit security idp]
-   active-policy Old_Policy;
+   active-policy Space-IPS-Policy;
[edit]
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 01:50 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237224] [UDP: 8122] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
  Policy Name : Old_Policy
  Running Detector Version : 12.6.160180509

  1. Commit the configuration change:

root@SRX550# commit
commit complete
 

Notice that the Old_Policy is still active:

 
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 01:51 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237224] [UDP: 8122] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
  Policy Name : Old_Policy
  Running Detector Version : 12.6.160180509
 

When the show security idp policy-commit-status command is executed within a few seconds of changing the policy, you will observe that the policy is still compiling, which is why the policy hasn't changed yet. The SRX device will unload the previous IDP policy only when the new policy is ready.

 
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Space-IPS-Policy.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:11617526 Bytes
 

After the policy loaded successfully message is displayed, if you run the show security idp status command now, you can see that the new policy is shown:

 
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 02:09 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237236] [UDP: 8141] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
Policy Name : Space-IPS-Policy
  Running Detector Version : 12.6.160180509

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search