Knowledge Search


×
 

[SRX] Determining when an IDP policy has finished compiling

  [KB33447] Show Article Properties


Summary:

This article explains how to determine whether an IDP policy on an SRX device has finished compiling, and is now processing traffic.

 

Symptoms:

Compiling an IDP policy can take a while, depending on the processing power of the SRX device and the IDP policy size. Given these factors, customers may be concerned that they do not see the new policy inspecting traffic. 

 

Cause:

If the show security idp status command is issued immediately after changing the IDP policy, the active policy appears to be unchanged. This is because the IDP policy compilation is not complete yet.

 

Solution:

To determine whether the IDP policy has finished compiling, the steps must be performed in the following order:‚Äč

  1. Change the policy in the configuration.
  2. Use show|compare to verify the configuration change.

  3. Issue show security idp status to check whether the old policy has loaded before committing. 

root@SRX550# set security idp active-policy Space-IPS-Policy
[edit]
root@SRX550# show | compare
[edit security idp]
-   active-policy Old_Policy;
+   active-policy Space-IPS-Policy;
[edit]
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 01:50 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237224] [UDP: 8122] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
  Policy Name : Old_Policy
  Running Detector Version : 12.6.160180509
  1. Commit the configuration change:

root@SRX550# commit
commit complete
 

Notice that the Old_Policy is still active:

 
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 01:51 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237224] [UDP: 8122] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
  Policy Name : Old_Policy
  Running Detector Version : 12.6.160180509
 

When the show security idp policy-commit-status command is executed within a few seconds of changing the policy, you will observe that the policy is still compiling, which is why the policy hasn't changed yet. The SRX device will unload the previous IDP policy only when the new policy is ready.

 
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
Reading prereq sensor config...
[edit]
root@SRX550# run show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Space-IPS-Policy.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:11617526 Bytes
 

After the policy loaded successfully message is displayed, if you run the show security idp status command now, you can see that the new policy is shown:

 
root@SRX550# run show security idp status
State of IDP: Default,  Up since: 2018-11-16 22:44:39 UTC (1w4d 02:09 ago)
Packets/second: 0               Peak: 6990 @ 2018-11-25 03:12:36 UTC
KBits/second  : 0               Peak: 2931 @ 2018-11-25 03:12:36 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 237236] [UDP: 8141] [Other: 0]
Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
  TCP: [Current: 2] [Max: 58 @ 2018-11-27 04:33:29 UTC]
  UDP: [Current: 0] [Max: 62 @ 2018-11-23 04:32:13 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-11-16 23:08:50 UTC]
Session Statistics:
[ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0]
Policy Name : Space-IPS-Policy
  Running Detector Version : 12.6.160180509

 

Related Links: