Security Management

  • 1.  j-web upgrades & feature additions

    Posted 03-24-2020 09:52

    I'm running 18.2 on an SRX340 per JTAC "recommended version". Version 19.4 exists but appeared to break some things during my initial install which after a call to JTAC I was informed of the recommended version.

    I suspect there are enhancement to J-web in 19.4 that I'd like to take advantage of. Visual versus lots of command line can help efficiency and clarity at times 🙂

     

    Is there a way yo upgrade j-web without entire firmware update?

    Is there a list of active J-web enhancements being worked on?

     

    I did find this posting which somewhat answers my question on published features, not future features.

    https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFName=J-Web

     

    So moving to the latest firmware gets more j-web features but makes the device less desirable for JTAC to support issues.



  • 2.  RE: j-web upgrades & feature additions

    Posted 03-24-2020 13:36

    Hi ewind.

     

    I hope you`re doing great.

     

    You can safely upgrade the J-web package without changing the Junos version , for that just push the J-web package in var/tmp folder then issue the command request system software add /var/tmp/J-web-package name.

     

    You can check Jweb features from juniper pathfinder : https://apps.juniper.net/feature-explorer/ 

    and the release notes for the version you are interested in  .

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too.

     

    Regards.



  • 3.  RE: j-web upgrades & feature additions

    Posted 03-26-2020 09:40

    Sorry for my lack of knowledge here but I am not finding any instructions on how to extract the j-web package from the contents of the tgz which in this case is junos-srxsme-19.4R1.10-domestic file or if I can download the newest j-web package directly somehow? Still searching since getting your response. Thank You



  • 4.  RE: j-web upgrades & feature additions

    Posted 03-27-2020 02:59

    The separate j-web package installer is only available for the ex switch series on particular models.

     

    https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/ex-series/release-notes/ex-j-web-194-A1/rn-ex-series-j-web-194A1.pdf

     

    j-web is integrated on other platforms.

     



  • 5.  RE: j-web upgrades & feature additions

    Posted 03-28-2020 07:43

    Thank You. I thought I was losing my mind searching over and over for the ability to update SRX with j-web only.



  • 6.  RE: j-web upgrades & feature additions

    Posted 03-27-2020 11:23

    There is no official list of things being worked on, but I know there is a general focus on speed and better useability. A lot of enhancements has made it into Junos 19.2 and especially 19.3 where updating policies, nat and related have gained major speed improvements.

     

    As Steve pointed out, you cannot upgrade J-web seperately on the SRX series - this is a feature seperate for the EX switches.

     

    Which kind of errors did you run into on 19.4? Even that JTAC recommends 18.2R3-S2 for now, they should still support you on all active releases. Maybe we can help you point out what went wrong and get you running 19.3 or 19.4. Personally I run 19.3 and 19.4 on a couple of SRX branch devices and haven't noticed any big issues - but honestly I'm not using the broadest feature set (only FW+NAT+IPS+IPsec VPN and routing-instances).

     



  • 7.  RE: j-web upgrades & feature additions

    Posted 03-28-2020 08:04

    Thank You. When I first unboxed the 340 it had 15.x? loaded. I performed intial config's with j-web and had alot of odd anomalies. Updated to latest firmware 19.x, redid config a few times, ran into a few odd issues, some due to lack of my junos knowledge, some not, and opened a JTAC ticket. JTAC response was load preferred version. So that gave me a stable config after several iterations and learning, but I lost the j-web feature updates. I guess I can try loading latest firmware and see if any of my config breaks, but maintain the current version image on other boot partition. Some more reading for me.

    Thanks again for confirming.



  • 8.  RE: j-web upgrades & feature additions

    Posted 03-31-2020 11:22

    Unfortunately the upgrade/validation to 19.4 failed. Any help out there?

     

    root@> ...var/tmp/junos-srxsme-19.4R1.10.tgz validate
    Formatting alternate root (/dev/da0s1a)...
    /dev/da0s1a: 2510.1MB (5140780 sectors) block size 16384, fragment size 2048
    using 14 cylinder groups of 183.62MB, 11752 blks, 23552 inodes.
    super-block backups (for fsck -b #) at:
    32, 376096, 752160, 1128224, 1504288, 1880352, 2256416, 2632480, 3008544,
    3384608, 3760672, 4136736, 4512800, 4888864
    saving package file in /var/sw/pkg ...
    Checking compatibility with configuration
    Initializing...
    cp: /var/etc/extensions.allow: No such file or directory
    veriexec: cannot update veriexec for /var/v/c/junos/var/jailetc/php_mod.ini: No such file or directory
    veriexec: cannot update veriexec for /var/v/c/junos/var/jailetc/mime.types: No such file or directory
    veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libpsu.so.3: Too many links
    veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libyaml.so.3: Too many links
    veriexec: cannot update veriexec for /var/v/c/junos/usr/lib/libext_db.so.3: Too many links
    veriexec: cannot update veriexec for /var/v/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory
    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
    Using junos-19.4R1.10 from /altroot/cf/packages/install-tmp/junos-19.4R1.10
    Copying package ...
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/google/protobuf/wrappers_pb2.pyc: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/cfgro/srx.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/arp.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/bfd.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/bgp.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/ccc.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/ethernetswitchingtable.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/ethport.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/fpc.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/idpattacks.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/intopticdiag.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/inventory.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/isis.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/lacp.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/ldp.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/lldp.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/nd.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/ospf.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/phyport.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/routes.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/securityzone.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/teddb.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/vlan.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/jail/usr/lib/python3.7/site-packages/jnpr/junos/op/xcvr.yml: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libext_db.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libpsu.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libxml2.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/lib/libyaml.so.3: Too many links
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/usr/telemetry/na-mqttd/na-mqtt.conf: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/mime.types: No such file or directory
    veriexec: cannot update veriexec for /cf/var/validate/c/junos/var/jailetc/php_mod.ini: No such file or directory
    Verified manifest signed by PackageProductionEc_2019 method ECDSA256+SHA256
    Hardware Database regeneration succeeded
    Validating against /config/juniper.conf.gz
    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>none</source-daemon>
    Network security daemon: <message>trusted-ca 'aamw-cloud-ca' does not exist!</message>
    Network security daemon: </xnm:error>
    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>none</source-daemon>
    Network security daemon: <message>trusted-ca 'aamw-secintel-ca' does not exist!</message>
    Network security daemon: </xnm:error>
    mgd: error: configuration check-out failed
    Validation failed
    Validating against /config/rescue.conf.gz
    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>none</source-daemon>
    Network security daemon: <message>trusted-ca 'aamw-cloud-ca' does not exist!</message>
    Network security daemon: </xnm:error>
    Network security daemon: <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
    Network security daemon: <source-daemon>none</source-daemon>
    Network security daemon: <message>trusted-ca 'aamw-secintel-ca' does not exist!</message>
    Network security daemon: </xnm:error>
    mgd: error: configuration check-out failed
    Validation failed
    ERROR: Current configuration not compatible with /altroot/cf/packages/install-tmp/junos-19.4R1.10
    ERROR: Configuration validation failed with /altroot/cf/packages/install-tmp/junos-19.4R1.10



  • 9.  RE: j-web upgrades & feature additions
    Best Answer

    Posted 03-31-2020 12:36

    If I search for PR's affecting 18.2R3 (and all -S releases) I find this one:

     

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1474225

     

    I suspect that the issue also occurs on 18.2R3 even that only 18.3R1 and newer are mentioned - but only way to properly validate will be to ask JTAC. Especially as there is no workaround mentioned... but I expect the workaround will have to upgraded with the 'no-validate' option.



  • 10.  RE: j-web upgrades & feature additions

    Posted 03-31-2020 12:58

    Thank You Jonas