08-26-2009 06:49 PM
We have an NSM device which manages around 100 SSG-140's. The problem we are facing is with the offline update of DI (Attack Database).We run the below script to get thi to work
./guiSvrCli.sh --attack-update --post-action --update-devices --skip
This script is downloading the new DI update packs and updating the NSM server but it is not pushing this to firewalls. i.e. the post action is not working properly. If i am running the command manualy, it says command completed successfully. If i go to the Gui and check the Job manager (in global domain), i can see that the "Scheduled Attack Database Update" is 100% Success. Along with this 2 firewalls are also getting updates. But rest of the firewall will not be updated.
Strange thing is that if i do a Attack DB push from the Gui, all the firewalls will take the update smoothly. Why is this script not pushing the update to firewalls.
NSM version: 2008.2 r2
08-27-2009 01:57 AM
from the guiSvrCli.sh --help:
--post-action This parameter specifies what action the system
should perform after attack have been updated.
--update-devices This parameter directs the system to attempt
to update affected devices, though devices having
other changes pending willbe skipped so as to
avoid accidentally pushing unexpected changes
--retry THIS PARAMETER IS DEPRECATED. Offline device
will always be skipped for updating.
--override THIS PARAMETER IS DEPRECATED. Setting it will
have no effect.
--abort THIS PARAMETER IS DEPRECATED. Setting it will
have no effect.
--skip This parameter directs the system to skip updating
the device if device is not connected to the
So I can see 2 different situations:
1) the devices are not connected to NSM when the operation is executed
2) the devices have pending changes (check the status, it should be "Managed, in sync" on the device manager list!)
Btw, the right command syntax for 2008.2r2 is:
/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action --update-devices --skip
Check this KB for more info:
08-27-2009 06:07 AM
Hi Daniele, Thanks for replying.
All the devices are having connectivuty to the NSM. I have double checked that. but for the "Managed, In Sync" , we have a problem there. Even if there is no change to be pushed, this column will say "Managed, Device and NSM Changed" or " Managed, Device Changed" or "Managed, NSM Changed". Is this known issue with NSM ?
We were having 2007.3r3 and had this "changed" issue. So consulted with Juniper and they suggested to upgrade the device to 2008.2r2. We did but still the problem persists. I had a word with juniper also and they are now suggesting a fresh installaion of 2008.2r2 and an upgrade to 2008.2r2a. Do you have anything on this issue ?
08-27-2009 06:48 AM
it may be because of the NTP sync between the 2 cluster members!
Check this KB:
Root cause: The Master firewall is sending a NTP sync command through the NSRP link after syncing with the NTP server. When the Backup firewall receives the NSRP sync message, it takes the command as a manual change in itself, and it sends out a 'device change' flag to NSM.
The solution is to configure each NSRP cluster member to sync with the NTP server individually, then apply command 'set ntp no-ha-sync' to block the NTP sync from the Master.
Let us know if this solves
08-28-2009 06:06 AM
A part of it was solved by this. A BIG Thanks to you.
In some clusters i have made the change (No sync of NTP btwn members) and they did a re-import of the firewall config and after that, firewalls started showing Manages, In Sync. Then tried to run the script and the DI update got pushed to the firewall .
I have noticed one thing that in the previous setup, where we were having 2007.3r3, this update was working fine, even if there is a "Changed" status. Is it something they introduced in 2008.2r2, which is blocking this. Can we override this setting in anywhy, like the firewall should be updated even if there is a "Changed" status ?