SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX Download signature problem with routing-instance in place

    Posted 03-29-2018 08:44

    Hi,

    I've this problem to download signature on my firewall due routing-instance configuration and not direct internet reachability on the main routing instance.

     

    I try:

    1) offline procedure. But for my version and product (SRX-110) i think that something is wrong on the website and always I retrived some errors with asking url:

    https://signatures.juniper.net/cgi-bin/index.cgi?device=jsrx110&feature=idp&detector=12.6.160121210&to=latest&os=12.3&build=48&type=update

     

     

    root@FW-HQ> show security idp security-package-version
      Attack database version:N/A(N/A)
      Detector version :12.6.160121210
      Policy template version :N/A
    

     

    2) Another way checked here on the forum is to use the loopback to force the SRX ask internet using the loopback behind routing-instance:

    "set system default-address-selection " command will enable the SRX to send IDP update request from loopback interface then.
    
     
    
    
    root@SRX-5800-1# show routing-instances 
    IDP-Update {
        instance-type vrf;
        interface xe-1/0/0.0;
    
    routing-options {
            interface-routes {
                rib-group inet IDP-Update;
            }
            static {
                rib-group IDP-Update;
                route 180.43.200.1/32 next-table inet.0;
            }
        }
    
    
    [edit]
    root@SRX-5800-1# show interfaces lo0 
    unit 0 {
        family inet {
            address 180.43.200.1/32;
        }
    }
    
    root@SRX-5800-1#

    But the problem in my case is that I'm using pppoe connection in dialup with just one public IP address that is able to reach internet.

    Maybe I can use one other IP address or interface on the juniper-default routing instance in order to reach internet in some other way? But I don't know in which one...

    Any idea?

     

     

     

     


    #srxidperrorupdate
    #srxofflineidp
    #SRX110
    #srxidp
    #srxofflineupdates


  • 2.  RE: SRX Download signature problem with routing-instance in place

     
    Posted 03-30-2018 00:50
    1. Interface based source NAT from zone local to egress interface zone (set security nat source rule-set 1 from zone junos-host)
    2. You need to make sure DNS is reachable from lo0(inet)
    3. Necessary security polocies for traffic from loopback to Internet/DNS


  • 3.  RE: SRX Download signature problem with routing-instance in place
    Best Answer

    Posted 03-30-2018 01:06

    Found solutions.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32399&cat=&actp=LIST

     

    But only for particularly JunOS version.

    Check it!

     

    More easy than manual download or other staff to perform on the device.

     

    Regards