Knowledge Search


×
 

[SRX] Application firewall failure after upgrading Junos OS

  [KB34685] Show Article Properties


Summary:

Users may find that when Junos OS is upgraded to a new release on SRX devices that have old IDP signatures, the application firewall stops behaving as expected.

This article gives the reason for such behavior and recommends a solution.

 

Symptoms:

For example, after upgrading Junos OS 15.1X49-D130 to Junos OS 15.1X49-D170 or later on SRX devices that had Attack Database version 3116 and detector version 12.6-130, multiple protocols, including DNS, were not properly identified, which in turn prevented the application firewall from behaving as expected.

Rule-set: Allow_Email
    Logical system: root-logical-system
    Rule: DNS
        Dynamic Applications: junos:DNS
        SSL-Encryption: any
        Action:permit
        Number of sessions matched: 0 <<<<<<<< DNS traffic not matching
        Number of sessions redirected: 0
    Rule: SMTP
        Dynamic Applications: junos:SMTP
        SSL-Encryption: any
        Action:permit
        Number of sessions matched: 0 <<<<<<<< SMTP traffic not matching
        Number of sessions redirected: 0
Default rule:deny
        Number of sessions matched: 105591
        Number of sessions redirected: 0
Number of sessions with appid pending: 0

 

Cause:

IDP signature updates provide the information that is needed for the application firewall to function. If Junos OS is upgraded to a version that was not available when the signatures currently being used on your device were created, Junos OS may be seen to not handle traffic as expected.

 

Solution:

To resolve such behavior, update the IDP signatures and attack database to the newer version. Refer to the instructions in the following for help with this process:

 

Related Links: