The event log message indicates the firewall is unable to allocate memory to download new pattern database. This issue is seen only after the device has been operational for some time, depending on the traffic pattern. It is also more likely to occur on devices that are also running Deep Inspection (DI).
NS-5GT Firewall device with Trend Micro Antivirus and Deep Inspection License may get memory allocations errors as shown in the below "get event" command output example:
2007-04-27 20:03:17 system crit 00554 SCAN-MGR: Internal error occurred when calling this function: TmIntCPVSInit. Error: -3.
2007-04-27 20:03:17 system crit 00081 Cannot allocate 1501584 bytes of memory.
2007-04-27 20:02:53 system notif 00554 SCAN-MGR: New AV pattern file has been updated. Version: 433; size: 7220817 bytes
At 20:02:53, the AV pattern file was successfully downloaded to the firewall device.
However, at 20:03:17, it was unable to update the AV engine of the firewall device with this new AV pattern file.
The root cause for this issue is memory fragmentation on the device that occurs over time as memory is allocated and de-allocated to accommodate different size of packets traversing the device. The memory is fragmented to the extent that the device cannot allocate a large enough memory block to download the new pattern database.
Redownload the AV pattern file. If the same error occurs, reset the firewall device and then redownload the AV pattern file again.
Explanation of fix:
Due to limited resources available on the firewall device, TrendMicro has optimized the database to reduce the pattern file size.
- Before optimization the pattern files included: signatures for "in-the-wild" + prevalent generic signatures + specific customer cases for the last 2 years
- The optimized database includes: "in-the-wild" + prevalent generic signatures.
The "in-the-wild" patterns includes virus which are seen in the real world; the omitted signatures were specific to some customer environment and not seen in the production systems.
The following are some of the expected behavior changes:
- The pattern file number on the Juniper Firewall would be different compared to the pattern file number on the TrendMicro’s website, this is due to the commission of the specific customer cases for Juniper Firewall.
- The Signature Update frequency would be done as and when "In-the-wild" virus are found. As a result, TrendMicro users should expect the signature file to change less frequently. Changes may not occur for weeks at a time.
- The solution continues to provide coverage against the most relevant virus attacks.