Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS/NSM/IDP] A NSM warning is generated when a policy is updated on ISG-IDP and stand-alone IDP devices

0

0

Article ID: KB9290 KB Last Updated: 18 Oct 2020Version: 7.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This article describes the issue of the Reason code (6) - This attack is not supported by the current detector on the device. A detector update may be required warning message being generated, when a policy is updated on ISG-IDP and stand-alone IDP devices.
Symptoms:
NSM displays a warning that specific attacks/groups cannot be updated to the device, when a policy is pushed to device.
Cause:
This issue occurs as none of the IDP or ISG-IDP detectors support all the attack objects.
Solution:

When a policy is pushed from NSM to ISG with IDP modules or to a stand-alone IDP device, a warning is issued by NSM, which states that some attacks/groups cannot be updated to the device. The policy is successfully updated to the device; but the warning message is misleading. The warning is message is similar to the following message:

 

The following attacks/groups can not be updated (see "Reason Code" column below):

  IDP Attack/Group Name                  Attack Type         In Rules      Reason Code
                                                         
(I=Idp,E=Exempt)

  ------------------------------------------------------------------------------------------------------------------------------------------

 SIP: Ethereal SIP Decoder Exploit      predef signature       I-1             6

 DNS: Non-RFC1035 Type Used             predef signature       I-1             6

 WORM: Microsoft ASN.1 Worm (KillBill)  predef signature       I-1             6

Reason Codes:
(6)      This attack is not supported by the current detector on the device. A detector update may be required.

 

None of the IDP or ISG-IDP detectors support all of the attack objects. Typically, when a new detector with new capabilities (new context, new protocol, and so on) is released, new attack objects are created; which replace the old ones. NSM has both the old attack signatures, which are applicable only for older versions of the detector, and the new attack objects. If the signature is obsolete and not applicable for the current version of detector, the signature will not be pushed. Similarly, if the signature is applicable only to a higher version of the detector, it will not be pushed to devices that are running lower versions of the detector.

For example, the SIP: Ethereal SIP Decoder Exploit signature in the above message is applicable only for older 3.0 detector versions. Edit the signature to find the supported platforms (detector version) for a signature. As this is applicable to only 3.0 detector versions, it will not be pushed to devices that are running higher versions. Similarly, if the signature is applicable to only higher versions of the detector (signatures applicable for IDP 5.1 devices), it cannot be pushed to IDP 5.0 devices that are running a different detector version.

Note: The detector engines are different for ISG-IDP and stand-alone IDP devices. For ISG-IDP, the detector engine that is supported on ScreenOS 6.2 / ScreenOS 6.3 is different from ScreenOS 6.1. Similarly, for Stand-alone IDP devices, the detector engine is different for IDP 5.0 and IDP 5.1 devices. 

The following table lists the supported detector versions for different operating systems:

ScreenOS 6.3 3.5.xxxxx
ScreenOS 6.2 3.4.xxxxx
IDP 5.1 5.1.xxxxx
IDP 5.0 5.0.xxxxx

Only the signatures, which are applicable for the specific detector versions, can be pushed to the device.

Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search