Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Application firewall failure after upgrading Junos OS

0

0

Article ID: KB34685 KB Last Updated: 04 Jul 2019Version: 1.0
Summary:

Users may find that when Junos OS is upgraded to a new release on SRX devices that have old IDP signatures, the application firewall stops behaving as expected.

This article gives the reason for such behavior and recommends a solution.

 

Symptoms:

For example, after upgrading Junos OS 15.1X49-D130 to Junos OS 15.1X49-D170 or later on SRX devices that had Attack Database version 3116 and detector version 12.6-130, multiple protocols, including DNS, were not properly identified, which in turn prevented the application firewall from behaving as expected.

Rule-set: Allow_Email
    Logical system: root-logical-system
    Rule: DNS
        Dynamic Applications: junos:DNS
        SSL-Encryption: any
        Action:permit
        Number of sessions matched: 0 <<<<<<<< DNS traffic not matching
        Number of sessions redirected: 0
    Rule: SMTP
        Dynamic Applications: junos:SMTP
        SSL-Encryption: any
        Action:permit
        Number of sessions matched: 0 <<<<<<<< SMTP traffic not matching
        Number of sessions redirected: 0
Default rule:deny
        Number of sessions matched: 105591
        Number of sessions redirected: 0
Number of sessions with appid pending: 0

 

Cause:

IDP signature updates provide the information that is needed for the application firewall to function. If Junos OS is upgraded to a version that was not available when the signatures currently being used on your device were created, Junos OS may be seen to not handle traffic as expected.

 

Solution:

To resolve such behavior, update the IDP signatures and attack database to the newer version. Refer to the instructions in the following for help with this process:

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search