[j-nsp] SRX and http/https proxy

Discussion:

Benoit Plessis

2017-12-12 10:38:54 UTC

Hi,

We have recently bought an SRX345 cluster with IDP licensing and i'm a
bit baffled by something a bit "stupid".

The SRX will need regular download over the internet for the IDP
database, however, by principle i setup the system so that the admin
interface has a limited network connectivity (by use of a separate
routing-instance for the main trafic).

So i looked for a way for the SRX to use a web proxy (squid, ffproxy)
for thoses operations.

According to the documentation & configuration it is supported (system
proxy server / system proxy port) however of the 4 download "use-case" i
tested (request system licence update, request security idp
security-package download, request system license add, file copy) only
the first (request system licence update) does "try" to respect and use
the system proxy, and even there it doesn't correctly communicate with
the proxy for "https" requests.

I tried with 17.3R1.10, 12.1X46-D15.3, 12.3X48-D40.5 with the same
result each time.

A case is pending openning over juniper support but the support contract
of the SRX345 isn't openned yet, so i though of reaching over there,
does anybody know anything on the subject ?

Regards,
Benoit Plessis

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Roger Wiklund

2017-12-12 14:34:53 UTC

Permalink

Two options on the top of my head:

1. Use Security Director, that will download the signature to the server
and then push it to the device. (SD will also give you lots of other
benefits/visibility)
2. Download the update to a web server the SRX can reach, then use
offline-download "request security idp security-package offline-download
package-path http://x/y"

You can easily configure an event-option to run the update every night.

set event-options generate-event daily time-of-day 01:00:00
set event-options policy update_idp_package events daily
set event-options policy update_idp_package then execute-commands command
"request security idp security-package offline-download package-path
http://x/y"

BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
15.1X49 feature parity.

Regards
Roger

Post by Benoit Plessis
Hi,
We have recently bought an SRX345 cluster with IDP licensing and i'm a
bit baffled by something a bit "stupid".
The SRX will need regular download over the internet for the IDP
database, however, by principle i setup the system so that the admin
interface has a limited network connectivity (by use of a separate
routing-instance for the main trafic).
So i looked for a way for the SRX to use a web proxy (squid, ffproxy)
for thoses operations.
According to the documentation & configuration it is supported (system
proxy server / system proxy port) however of the 4 download "use-case" i
tested (request system licence update, request security idp
security-package download, request system license add, file copy) only
the first (request system licence update) does "try" to respect and use
the system proxy, and even there it doesn't correctly communicate with
the proxy for "https" requests.
I tried with 17.3R1.10, 12.1X46-D15.3, 12.3X48-D40.5 with the same
result each time.
A case is pending openning over juniper support but the support contract
of the SRX345 isn't openned yet, so i though of reaching over there,
does anybody know anything on the subject ?
Regards,
Benoit Plessis
_______________________________________________
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Benoit Plessis

2017-12-14 11:58:02 UTC

Permalink

Sorry i lost Roger's mail so this might bork the thread ..

Post by Roger Wiklund
1. Use Security Director, that will download the signature to the server
and then push it to the device. (SD will also give you lots of other
benefits/visibility)
2. Download the update to a web server the SRX can reach, then use
offline-download "request security idp security-package offline-download
package-path http://x/y"
You can easily configure an event-option to run the update every night.
set event-options generate-event daily time-of-day 01:00:00
set event-options policy update_idp_package events daily
set event-options policy update_idp_package then execute-commands command
"request security idp security-package offline-download package-path
http://x/y"

Hi,

Well i found the "How to perform offline IDP and Application signature
database update in SRX"(*) which is three years old at least,
not very clear and need root (not super-user account) access to put
files directly in /var/db/idpd/...

* https://kb.juniper.net/InfoCenter/index?page=content&id=TN83

The documentation for "request security idp security-package
offline-download" suggest to
"Manually download the security package from the Juniper Security
Engineering portal. The package will have both IDP and application
package signatures." yet i wasn't able to find said package ...

By the way JTAC answer this morning with said KB and a wonderfull "It is
possible that the proxy method to not be standard. If this is the case,
I don't understand what are your expectation in regards to this."

Post by Roger Wiklund
BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
15.1X49 feature parity.

Ok, gone back to 15.1 thanks
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Roger Wiklund

2017-12-20 22:00:07 UTC

Permalink

You can download the latest signature here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB27038

Try this:

1. unzip the file, then gunzip all gz files: gzip -d *.gz
2. copy all files to the device with scp: scp -r * ***@ip
:/var/db/idpd/sec-download/
3. request security idp security-package offline-download package-path
/var/db/idpd/sec-download
4. request security idp security-package install

I have not tried this myself but I think it should work =)

Post by Benoit Plessis
Sorry i lost Roger's mail so this might bork the thread ..
1. Use Security Director, that will download the signature to the server
and then push it to the device. (SD will also give you lots of other
benefits/visibility)
2. Download the update to a web server the SRX can reach, then use
offline-download "request security idp security-package offline-download
package-path http://x/y"
You can easily configure an event-option to run the update every night.
set event-options generate-event daily time-of-day 01:00:00
set event-options policy update_idp_package events daily
set event-options policy update_idp_package then execute-commands command
"request security idp security-package offline-download package-pathhttp://x/y"
Hi,
Well i found the "How to perform offline IDP and Application signature
database update in SRX"(*) which is three years old at least,
not very clear and need root (not super-user account) access to put files
directly in /var/db/idpd/...
* https://kb.juniper.net/InfoCenter/index?page=content&id=TN83
The documentation for "request security idp security-package
offline-download" suggest to
"Manually download the security package from the Juniper Security
Engineering portal. The package will have both IDP and application package
signatures." yet i wasn't able to find said package ...
By the way JTAC answer this morning with said KB and a wonderfull "It is
possible that the proxy method to not be standard. If this is the case, I
don't understand what are your expectation in regards to this."
BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
15.1X49 feature parity.
Ok, gone back to 15.1 thanks

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Benoit Plessis

2017-12-21 09:16:07 UTC

Permalink

Post by Roger Wiklund
https://kb.juniper.net/InfoCenter/index?page=content&id=KB27038
1. unzip the file, then gunzip all gz files: gzip -d *.gz
2. copy all files to the device with scp: scp -r *
3. request security idp security-package offline-download package-path
/var/db/idpd/sec-download
4. request security idp security-package install

Interesting,

The package is very large however since it does contain everything, it
would need to filter out unecessary files,
not sure it would be really easier (to be done 'safely') than parsing
the xml file from the auto-upgrade url tho

as for the process you describe the "part 2" is my main concern (root
access on the SRX, no option to login with ssh pubkey), also need to be
done on both unit of the cluster.

As for part 3 my previous experiment seams to tell me that if you copy
the files on /var/db/idpd/sec-download then "request security idp
security-package offline-download package-path" isn't usefull,
however it does feel like "offline-download" could be used to skip the
root access copy of step 2, but there is little to no information of the
expected "package" format
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
ht