Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


[SRX] How to update IDP Signature Database off-lineĀ  ( Easier way to do it )

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32399&actp=METADATA

https://translate.google.com/translate?hl=en&sl=ja&tl=en&u=https%3A%2F%2Fcsps.hitachi-solutions.co.jp%2Fjuniper%2Ffaq%2Fsrx%2Futm%2Fidp_04.html

https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/SRX-IDP_Offline_SecurityPackage_update.pdf




check the signature id


Code Block
titlewhich version installed
Netbox@SRX340-1-Rack104# run show services application-identification version
  Application package version: 534


Netbox@SRX340-1-Rack104# run show security idp security-package-version
  Attack database version:N/A(N/A)
  Detector version :12.6.160121210
  Policy template version :N/A



Check-server

and get the latest signature id


Code Block
titleCheck server
collapsetrue
Netbox@SRX340-1-Rack104> request services application-identification download check-server
Download server URL: https://signatures.juniper.net/cgi-bin/index.cgi
Sigpack Version: 3161
Protobundle version: 1.380.0-60.105
Build Time: Jan 13 2019 23:05:04


Netbox@SRX340-1-Rack104> request security idp security-package download check-server
Successfully retrieved from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3161(Detector=12.6.160180509, Templates=3161)


application-identification

and

Download Server

and

sigpack version


Code Block
titlehere
collapsetrue
root@SRX340-1-Rack104> show services application-identification status

Application Identification
 Status                            Enabled
 Sessions under app detection      0
 Max TCP session packet memory     0
 Force packet plugin               Disabled
 Force stream plugin               Disabled
 Statistics collection interval    1440 (in minutes)

Application System Cache
 Status                            Enabled
 Max Number of entries in cache    131072
 Cache timeout                     3600 (in seconds)

Protocol Bundle
 Download Server                   https://signatures.juniper.net/cgi-bin/index.cgi
 AutoUpdate                        Disabled
Slot 1:
 Application package version       0
 Status                            Free
 PB Version                        N/A
 Engine version                    N/A
 Sessions                          0



request services application-identification download status

https://signatures.juniper.net/xmlupdate/226/ApplicationGroups/3161/application_groups2.xml.gz






idp folder

and

detector-capabilities


Code Block
titleidp folder
collapsetrue
% ls -al /var/db/idpd/sec-download/
total 1484
drwxr-xr-x  3 root  wheel     512 Dec 15  2017 .
drwxr-xr-x  7 root  wheel     512 Dec 15  2017 ..
-rw-r--r--  1 root  wheel  721970 Dec 15  2017 detector-capabilities.xml
drwxr-xr-x  2 root  wheel     512 Dec 15  2017 sub-download



more /var/db/idpd/sec-download/detector-capabilities.xml



application id folder

and

manifest.xml file


Code Block
titlemanifest.xml only xml.gz id files
collapsetrue
% more /var/db/appid/sec-download/manifest.xml | grep "xml.gz</id"
    <id>application_groups.xml.gz</id>
    <id>application_groups2.xml.gz</id>
    <id>applications.xml.gz</id>
    <id>applications2.xml.gz</id>
    <id>contexts.xml.gz</id>
    <id>filters.xml.gz</id>
    <id>groups.xml.gz</id>
    <id>platforms.xml.gz</id>
    <id>products.xml.gz</id>
    <id>services.xml.gz</id>
    <id>SignatureUpdate.xml.gz</id>
    <id>templates.xml.gz</id>


Code Block
titledownload manifest
 wget -O manifest.xml "https://signatures.juniper.net/xmlupdate/226/Manifest/3161/manifest.xml"


Also:
wget -O manifest.xml  "https://signatures.juniper.net/cgi-bin/index.cgi?device=jsrx340&adv_dev_info=srx340&feature=idp&os=15.1&build=49&dfa=hs&detector=12.6.160121210&from=&to=latest&type=manifest&sn=CY3016AF0008&release=150.2"



PS C:\Users\jkriker\Documents\script> ls


    Directory: C:\Users\jkriker\Documents\script


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       16/04/2019     13:46           5379 manifest.xml
-a----       16/04/2019     12:48        4269066 SignatureUpdate.xml.gz



PS C:\Users\jkriker\Documents\script\appid> more .\manifest.xml | grep "xml.gz</url>" | sed s/<url>// | sed s/<\/url>// | sed s/.*https/https/ > .\download-file-list.txt

PS C:\Users\jkriker\Documents\script\appid> more .\download-file-list.txt
https://signatures.juniper.net/xmlupdate/226/ApplicationGroups/3161/application_groups.xml.gz
https://signatures.juniper.net/xmlupdate/226/ApplicationGroups/3161/application_groups2.xml.gz
https://signatures.juniper.net/xmlupdate/226/Applications/3161/applications.xml.gz
https://signatures.juniper.net/xmlupdate/226/Applications/3161/applications2.xml.gz
https://signatures.juniper.net/xmlupdate/226/Contexts/3161/contexts.xml.gz
https://signatures.juniper.net/xmlupdate/226/Filters/3161/filters.xml.gz
https://signatures.juniper.net/xmlupdate/226/Groups/3161/groups.xml.gz
https://signatures.juniper.net/xmlupdate/226/Platforms/3161/platforms.xml.gz
https://signatures.juniper.net/xmlupdate/226/Products/3161/products.xml.gz
https://signatures.juniper.net/xmlupdate/226/Services/3161/services.xml.gz
https://signatures.juniper.net/xmlupdate/226/SignatureUpdates/3161/SignatureUpdate.xml.gz
https://signatures.juniper.net/xmlupdate/226/Templates/3161/templates.xml.gz



determine the file to download


Code Block
titledownload file
!!!!!!!!  some web browser have some problem with the xml file >>>>>> using wget instead ( on powershell/windoes or linux ) !!!!!!!!!!!!!!


Netbox@SRX340-1-Rack104> request security idp security-package download check-server
Successfully retrieved from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3161(Detector=12.6.160180509, Templates=3161)

>>>>> Just change the Template ID, here 3161 <<<<<<<<

PS C:\Users\jkriker\Documents\script> wget https://signatures.juniper.net/xmlupdate/226/SignatureUpdates/3161/SignatureUpdate.xml.gz -O SignatureUpdate.xml.gz


PS C:\Users\jkriker\Documents\script> ls


    Directory: C:\Users\jkriker\Documents\script


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       16/04/2017     12:00                test1
d-----       17/04/2017     19:03                Test2
-a----       13/10/2018     13:28            466 napalm_config.py
-a----       16/04/2019     12:48        4269066 SignatureUpdate.xml.gz

Then put it in the /var/tmp folder

PS C:\Users\jkriker\Documents\script> sftp Netbox@172.30.95.210:/var/tmp/
Password:
Connected to 172.30.95.210.
Changing to: /var/tmp/

sftp> put SignatureUpdate.xml.gz
Uploading SignatureUpdate.xml.gz to /cf/var/tmp/SignatureUpdate.xml.gz
SignatureUpdate.xml.gz                                                                             100% 4169KB 631.5KB/s   00:06

sftp> ls
SignatureUpdate.xml.gz    appidd_trace_debug        gres-tp                   install                   phone-home
pics                      policy_status             rtsdb                     sd-upgrade                sec-download
spu_kmd_init              usb                       vi.recover




Also can be done like in the KB.

PS C:\Users\jkriker\Documents\script> wget "https://signatures.juniper.net/cgi-bin/index.cgi?device=jsrx340&adv_dev_info=srx340&feature=idp&os=15.1&build=49&dfa=hs&platform_ver
sion=&detector=12.6.160121210&from=&to=latest&type=update&sn=CY3016AF0008&release=150.2" -O SignatureUpdate.xml.gz



Code Block
titleOLD: determine the file to download
collapsetrue
Netbox@SRX340-1-Rack104> show security idp security-package-version
  Attack database version:N/A(N/A)
  Detector version :12.6.160121210  <<<<<<<<< installed 
  Policy template version :N/A

Netbox@SRX340-1-Rack104> request security idp security-package download check-server
Successfully retrieved from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3161(Detector=12.6.160180509, Templates=3161)


The latest one is:
Detector=12.6.160180509


https://signatures.juniper.net/cgi-bin/index.cgi?device=jsrx340&adv_dev_info=&feature=idp&os=15.1&build=49&dfa=hs&detector=12.6.160171124&from=&to=latest&type=offline

https://signatures.juniper.net/cgi-bin/index.cgi?
device=jsrx340&
adv_dev_info=&
feature=idp&
os=15.1&
build=49&
dfa=hs&detector=12.6.160171124&
from=&to=latest&type=offline



----------------------------------------------------------------------------------------------------
junos command to provide the answer

device=jsrx340&
os=15.1&
build=49&

Netbox@SRX340-1-Rack104> show version
Hostname: SRX340-1-Rack104
Model: srx340
Junos: 15.1X49-D150.2
JUNOS Software Release [15.1X49-D150.2]




Image Added

idp offline-download


Code Block
titlesftp with powershell
PS C:\Users\jkriker\Documents\script> ls


    Directory: C:\Users\jkriker\Documents\script


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       16/04/2017     12:00                test1
d-----       17/04/2017     19:03                Test2
-a----       13/10/2018     13:28            466 napalm_config.py
-a----       16/04/2019     12:48        4269066 SignatureUpdate.xml.gz


PS C:\Users\jkriker\Documents\script> sftp Netbox@172.30.95.210
Password:
Connected to 172.30.95.210.
sftp> put SignatureUpdate.xml.gz
Uploading SignatureUpdate.xml.gz to /cf/var/home/Netbox/SignatureUpdate.xml.gz
SignatureUpdate.xml.gz                                                                                                                        100% 4169KB 622.2KB/s   00:06
sftp> ls
SignatureUpdate.xml.gz
sftp> quit
PS C:\Users\jkriker\Documents\script>


Code Block
titleoffline-download
Netbox@SRX340-1-Rack104> request security idp security-package offline-download ?
Possible completions:
  <[Enter]>            Execute this command
  package-path         Package path of the zipped security package
  status               Retrieve the status of offline package download operation
  |                    Pipe through a command


Netbox@SRX340-1-Rack104> request security idp security-package offline-download package-path ?
Possible completions:
  <package-path>       Package path of the zipped security package



Netbox@SRX340-1-Rack104> request security idp security-package offline-download package-path /cf/var/home/Netbox/SignatureUpdate.xml.gz
Will be processed in async mode. Check the status using the status checking CLI

Netbox@SRX340-1-Rack104> request security idp security-package offline-download status
Done;Signature package offline download Successful.

Netbox@SRX340-1-Rack104> request security idp security-package install
error: Security Package installation disabled temporarily due to invalid license.  <<<<<<<<<<<<<<< Need install IDP license!!!!!