This article explains what happens when an IDP license expires on SRX devices and whether attacks continue to be inspected after the license expires.

 

If an IDP license expires on an SRX device, attacks will continue to be inspected but the IDP updates installation will not be allowed.

In the following example, observe that a customer tries to install IDP updates with an expired license. In this case, the customer can only download the update, not install it. Notice that the device continues to see IDP traffic. Further, any attacks also continue to be inspected and the attack table populated with hits.

​Expired IDP License 

root@SRX550> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  idp-sig                               1            0           1    invalid
  dynamic-vpn                           0          500           0    permanent
  ax411-wlan-ap                         0            2           0    permanent
  appid-sig                             0            1           0    2018-12-30 00:00:00 UTC

 

​Baseline IDP Version 

root@SRX550> show security idp security-package-version
  Attack database version:3114(Thu Nov  1 15:16:24 2018 UTC)
  Detector version :12.6.160180509
  Policy template version :N/A

 

IDP Update Download

root@SRX550> request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI

root@SRX550>
root@SRX550> request security idp security-package download    status
In progress: Downloading ...

root@SRX550>
root@SRX550> request security idp security-package download status   
In progress:applications.xsd                            100 % 11885 Bytes/ 11885 Bytes

root@SRX550>
root@SRX550> request security idp security-package download status   
In progress:libidp-detector.so.tgz.v                            100 % 1536669 Bytes/ 1536669 Bytes

root@SRX550>
root@SRX550> request security idp security-package download status   
In progress:libidp-detector.so.tgz.v                            100 % 1536669 Bytes/ 1536669 Bytes

root@SRX550>
root@SRX550> request security idp security-package download status   
In progress:groups.xml.gz                               100 % 256233 Bytes/ 256233 Bytes

root@SRX550>
root@SRX550> request security idp security-package download status   
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3124(Tue Dec 11 12:18:40 2018 UTC, Detector=12.6.160180509)

 

​Install Attempt After Download with Expired IDP License 

root@SRX550> request security idp security-package download status                           install
error: Security Package installation disabled temporarily due to invalid license.

 

Traffic Flow Verification Through the Device

root@SRX550> show security idp status
State of IDP: Default,  Up since: 2018-12-12 22:23:12 UTC (00:16:49 ago)

Packets/second: 1711            Peak: 1778 @ 2018-12-12 22:39:37 UTC
KBits/second  : 3874            Peak: 4032 @ 2018-12-12 22:39:37 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

 

IDP Attack Table Incrementing Post License Expiry

root@SRX550> show security idp status                         attack table
IDP attack statistics:

  Attack name                                  #Hits
  SSL:AUDIT:TLS-V12-TRAFFIC                    2         

 

It is a best practice to always have the latest IDP attack signatures.

If, however, there is some issue with the license, contact Support with a non-technical case or contact your account team.