Intrusion Prevention

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 01:47
    Hi,  We have ISG-2000 with IDP module installed in it. I've update firewall with IOS (nsISG2000.6.2.0-IDP1.r2.0. Eventually IOS update procedure went fine but as soon I restarted I’ve received following information/error on my console. I'm not sure what action point needs to do on it, so i need your expert suggestion. However still I didn’t try to add firewall in NSM to implement IDP, as NSM is not yet activate so I’m not sure below information has any impact. 

     Here is logs I’ve received.

     

     Security Module 3 is ready
    All Security Modules init done
    IDP application is not supported, please make sure that the device is in Advance mode,
    has IDP license installed, ipv6 disabled, jumbo_frame disable, and has 2G memory.
    Done
    Received all run-time-object from peer.

      Firewall is already updated with IDP license; I’m confirming it has nothing to do with licenses.  What does “Advance Mode” means here? Kindly help me out.  


  • 2.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 02:28

    Hi,

    "advanced mode" is a license that includes IDP inspection and extended capabilities.

    Copy here the output of a "get license" to verify the situation.

     

    Ciao

    Daniele



  • 3.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 02:36

    Thanks Dan for reply, Here is output

     

    get license-key

    advanced_key        : 2dCatAYClEdqGctAo8P7KqU1ZwF3eeVOFJPHJJJmOZ1Btg0DRC
                          XTESRvUj63kjjhZhWs4S9oiXd9ao0hdMgo6yyt0SgslDiEEBUd
                          XkDC0S7MO3irEMhdnztgq2tjzrbmBV5MxVamH/
                          wuXY5c3X4+yA2Bc0Lwo5aiHUnZPbpZ5c8uJTrGpzGon2QrRtZg
                          +h88DWLMDITUfBVhwIEIyNO91083ubtDSSEzY6NzODg1Zgqpwv
                          aVD30Ut0pV9QKp+hi5xOIF0DyVx1F559g/
                          BgJ7JV7lhlN9EMrzD8420hroQHj5c3uW4j1P4GbSYUs2SG6gg0
                          oP2KYFLHYvrQUj3WzMVTA==

    idp_sm_key          : 2LuVPCx+hA8+nEMdUSQyANn/DT/
                          hqX3DUWX0gsgRIlU41fWsQ0hElIqWAUZ1bMq4iWmzg2MQ1DHQf
                          hb4X9a/Bd/
                          +kM74Cgdm8dDfYl9i0J63DdI9Quq04+vSiLESFLg0e0kzg2gH9
                          uzNIaDF0Ab0Qcic35YOnQFe0lyuD5A7Y+WFbXQr1Z90bh6lkRv
                          Ml90OwXn+vtLhz9CTxvtv5QB0MVZVAWOj8BLM/
                          oUmqFRh7JrROMRwG3LdfRIp7sdF9lsLOfEUG4qL+6AuslknehP
            6uMqYXeQnoqLBic05n3wnZJB0k4ZM0YY7fNPVK9yabl8fTwEm7
                          eMmK5l/zmEtW0t+caA==

    Model:              Advanced
    Sessions:           500064 sessions
    Capacity:           unlimited number of users
    NSRP:               ActiveActive
    VPN tunnels:        10000 tunnels
    Vsys:               None
    Vrouters:           3 virtual routers
    Zones:              34 zones
    VLANs:              2000 vlans
    Drp:                Enable
    Deep Inspection:    Enable
    Deep Inspection Database Expire Date: Disable
    Signature pack:     Signature update key is missing
    IDP:                Disable
    AV:                 Enable(1)
    Anti-Spam:          Disable(0)
    Url Filtering:      Disable

    Update server url: nextwave.netscreen.com/key_retrieval
    License key auto update : Disabled
    Auto update interval : 0 days
    ===============================================================================



  • 4.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 02:59

    @AffanRayf wrote:

    IDP:                Disable

     

    The problem is here: the IDP is disabled.

     

    I have to correct my previous statement: the "advanced mode" is required but doesn't include the IDP license.

     

    So I think you should double check that you have a valid IDP license and install it on the device.

     

    Ciao 🙂

    Daniele

     



  • 5.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 03:14

    Thanks, I'm working on. I'll update you soon.



  • 6.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 07:09

    Hi Affan,

    forgot to say, you should also check that the device has 2GB memory and that IPv6 and jumbo frame are disabled.

     

    Please check the output of:

    get sys

    get env

     

    Feel free to copy the output here so I can check.

     

    Ciao 🙂

    Daniele



  • 7.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-07-2009 08:05

    Hi Dan,

     

    I Just say your message, I gone through some document & find out the case of memory. So without wasting time, i've update firewall with 2GB memory, prior it has 1GB. So the only issue that you also pin point is valid and that was with memory shortage, as to support IDP with firewall its require 2GB. Further firewalls is working in NSRP so i updated both ;).

     

    Dan, i guess firewalls with IDP is ready ? or do you see anything else in it. I know for FW with IDP, NSM appliance is require for configuration. Can you also please share any document or step-by-step guide that help for implementation in view of NSM.

     

    Many Thanks

     

    Kr, 

     - Affan

     

     



  • 8.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-09-2009 11:38

    Dan,

     

    You there ? Any suggestion regarding document please ?

     



  • 9.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-11-2009 19:51

    Affan,

     

    The steps are documented in the NSM Administrator  Guide. 

    On a high level the steps you need to perform are :

     

    On the device:

    1. Make sure that the IDP license shows enabled (get lic)

    2. Make sure there is the Security modules show enabled (get sm status) --> CPU should show as 1

    3. Management Interface needs to have an IP Address (Suggest using the management interface alone for management)

    4. Make sure NSM server IP Address is pingable and port tcp/7800 is open between the device and NSM server 

    5. Enable SSH on the management interface 

     

    On NSM:

    1. Add the device as Device is reachable

    2. Import the Device

    3. Perform an attack object update (configuration --> Update attack objects)

    4. Update the detector on the device (Its on the configuration menu)

    5. Define the IDP policy using Security Policies

    6. Perform an update to the device

     

    Lastly, not sure what ScreenOS you are using, suggest using the latest version of ScreenOS on either 6.0 or 6.1.

     

    Thanks,

    Chandra

     



  • 10.  RE: [help] ISG with IDP Module Detection Error
    Best Answer

    Posted 05-11-2009 22:30
    Many Thanks Chandra & Dan


  • 11.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-12-2009 00:29

    Also,

    we have a "Network and Security Manager 2008.2 Configuring ScreenOS and IDP Devices Guide" available here:

     

    http://www.juniper.net/techpubs/software/management/security-manager/nsm2008_2/nsm-screenos-idp-devices-guide.pdf

     

     

    Ciao

    Daniele



  • 12.  RE: [help] ISG with IDP Module Detection Error

    Posted 05-13-2009 05:10

    Dan,

     

    Thank you very much for your valuable support. Great indeed !!