SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Download signature problem with routing-instance in place

    Posted 03-29-2018 08:44

    Hi,

    I've this problem to download signature on my firewall due routing-instance configuration and not direct internet reachability on the main routing instance.

     

    I try:

    1) offline procedure. But for my version and product (SRX-110) i think that something is wrong on the website and always I retrived some errors with asking url:

    https://signatures.juniper.net/cgi-bin/index.cgi?device=jsrx110&feature=idp&detector=12.6.160121210&to=latest&os=12.3&build=48&type=update

     

     

    root@FW-HQ> show security idp security-package-version
      Attack database version:N/A(N/A)
      Detector version :12.6.160121210
      Policy template version :N/A
    

     

    2) Another way checked here on the forum is to use the loopback to force the SRX ask internet using the loopback behind routing-instance:

    "set system default-address-selection " command will enable the SRX to send IDP update request from loopback interface then.
    
     
    
    
    root@SRX-5800-1# show routing-instances 
    IDP-Update {
        instance-type vrf;
        interface xe-1/0/0.0;
    
    routing-options {
            interface-routes {
                rib-group inet IDP-Update;
            }
            static {
                rib-group IDP-Update;
                route 180.43.200.1/32 next-table inet.0;
            }
        }
    
    
    [edit]
    root@SRX-5800-1# show interfaces lo0 
    unit 0 {
        family inet {
            address 180.43.200.1/32;
        }
    }
    
    root@SRX-5800-1#

    But the problem in my case is that I'm using pppoe connection in dialup with just one public IP address that is able to reach internet.

    Maybe I can use one other IP address or interface on the juniper-default routing instance in order to reach internet in some other way? But I don't know in which one...

    Any idea?

     

     

     

     


    #srxidperrorupdate
    #srxofflineidp
    #SRX110
    #srxidp
    #srxofflineupdates


  • 2.  RE: SRX Download signature problem with routing-instance in place

     
    Posted 03-30-2018 00:50
    1. Interface based source NAT from zone local to egress interface zone (set security nat source rule-set 1 from zone junos-host)
    2. You need to make sure DNS is reachable from lo0(inet)
    3. Necessary security polocies for traffic from loopback to Internet/DNS


  • 3.  RE: SRX Download signature problem with routing-instance in place
    Best Answer

    Posted 03-30-2018 01:06

    Found solutions.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32399&cat=&actp=LIST

     

    But only for particularly JunOS version.

    Check it!

     

    More easy than manual download or other staff to perform on the device.

     

    Regards