Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [NSM] Example: How to enable automatic attack updates from NSM CLI

0

0

Article ID: KB7863 KB Last Updated: 18 Oct 2020Version: 6.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.


This article explains how to enable automatic attack updates from the command-line interface (CLI)  of the NSM device.

Symptoms:

Users wish to schedule automatic attack updates from the command-line interface of the NSM device.

Solution:

Automatic attack updates can be scheduled to run at a certain designed interval using the UNIX cron scheduler daemon. NSM provides a command-line interface script to automate attack updates and generate reports.

For full usage syntax run on the GuiSvr:

#  /usr/netscreen/GuiSvr/utils/guiSvrCli.sh --help

To automatically download attack updates and update the affected devices, create the script /usr/local/bin/NSMAttackUpdate as follows:

#!/bin/sh
NSMUSER=global/super
NSMPASSWD=netscreen

export NSMUSER
export NSMPASSWD

/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action --update-devices --skip

For security reasons, it might be advisable to create a non-super NSM user account that has the correct privileges to update the attack object and the devices affected, and edit the script accordingly.

The guiSvrCli.sh command in the script above directs the system to update its attack database by connecting to and downloading the latest attack database, if newer than the current one. It will then attempt to update affected devices, although devices having other changes pending will be skipped so as to avoid accidentally pushing unexpected changes. If the device is not connected to the system, it will skip updating the device.

Save the file, and run chmod 700 /usr/local/bin/NSMAttackUpdate to make the file only executable by root.

Run the NSMAttackUpdate script to verify that it works correctly before proceeding with using the cron daemon below.

To enable the attack updates for Junos OS devices, add the --dmi flag after --update-attacks, as seen in the help.

For example, modify the line in the /usr/local/bin/NSMAttackUpdate script to look like the following: 

/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --dmi --post-action --update-devices --skip

To schedule the attack updates using cron, copy or move the script to /etc/cron.daily and reload the configuration using:

# /etc/init.d/crond reload

Make sure that crond is running with ps -ef | grep crond. If it is not running, execute the following commands:

# chkconfig crond on
# /etc/init.d/crond start

For more information regarding cron, please consult the crond man page.

Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search