Each SRX model has a different IDP Detector version so that in case a incorrect detector is installed (e.g. offline update; using download link for a different model), IDP policy related issues would be seen.
Every SRX device is pre-loaded with the correct Detector version. If the device is updated with a Detector version for a different model, the policy update will fail with the following errors in IDP traceoptions:
Jun 19 12:11:34 sc_policy_unpack_tgz: invalid detector version
Jun 19 12:11:34 idpd_policy_load: sc_detector_unpack failed
Jun 19 12:11:34 idpd_policy_load: deleting temp tar dir(rm -fr /var/db/idpd/bins//4b4dad52)
Jun 19 12:11:34 IDP policy loading failed policy :[/var/db/idpd/bins//Client-Protection.bin.gz.v];detector:/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v;reason:[detector unpack failed]
-
Take note of the correct Detector version for various models:
12.6.140xxxxx - Detector for High End device
12.6.160xxxxx - Detector for Branch Devices
12.6.130xx - Detector for vSRX, SRX4k, SRX1500
-
Use the following command to check the Detector version installed on the device:
show security idp security-package-version
Attack database version:N/A(N/A)
Detector version :12.6.160121210
Policy template version :N/A
In this scenario, we did an off-line signature update using KB32399 - How to update IDP Signature Database off-line. However, the download link in IDP traces was also created with an incorrect Detector version. A fresh IDP full update would be needed. Then the download link can be generated from another working device of the same model.