Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IDP Detector version format for different SRX models

0

0

Article ID: KB33495 KB Last Updated: 14 Dec 2018Version: 2.0
Summary:

Each SRX model has a different IDP Detector version so that in case a incorrect detector is installed (e.g. offline update; using download link for a different model), IDP policy related issues would be seen.

Symptoms:

Every SRX device is pre-loaded with the correct Detector version. If the device is updated with a Detector version for a different model, the policy update will fail with the following errors in IDP traceoptions:

Jun 19 12:11:34 sc_policy_unpack_tgz: invalid detector version
Jun 19 12:11:34 idpd_policy_load: sc_detector_unpack failed
Jun 19 12:11:34 idpd_policy_load: deleting temp tar dir(rm -fr /var/db/idpd/bins//4b4dad52)
Jun 19 12:11:34 IDP policy loading failed policy :[/var/db/idpd/bins//Client-Protection.bin.gz.v];detector:/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v;reason:[detector unpack failed]

 

Solution:
  1. Take note of the correct Detector version for various models:

    12.6.140xxxxx -  Detector for High End device
    12.6.160xxxxx -  Detector for Branch Devices
    12.6.130xx -  Detector for vSRX, SRX4k, SRX1500
  2. Use the following command to check the Detector version installed on the device:

    show security idp security-package-version
    Attack database version:N/A(N/A)
    Detector version :12.6.160121210
    Policy template version :N/A


In this scenario, we did an off-line signature update using KB32399 - How to update IDP Signature Database off-line. However, the download link in IDP traces was also created with an incorrect Detector version. A fresh IDP full update would be needed. Then the download link can be generated from another working device of the same model.

Modification History:
2018-12-14:  Removed Detector version reference for vSRX3
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search