Management
Reply
Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

I'm running NSM 2011.1, and 11.1R3.5 on an SRX240H-POE Virtual Chassis.  When I attempt to push the Attack DB from NSM to the VC I get the following failure message:

 

Error Code: 
Error Text:   Attack/Detector Update exception
Error Details:   Error information from the device : Write to destination file (/var/db/idpd/sec-download/libidp-detector.so.tgz.v_5230) failed: Permission denied
 Error Severity error


NSM uses the 'admin' user id, which is configured as a super-user on the SRX.  Is there something I'm missing here?

 

Contributor
mbrandt
Posts: 17
Registered: ‎10-30-2008
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

Hi, sounds like a nsm bug.

 

The NSM tries to write in the sec-download directory, but it is only writable by the srx root user.

You can verify this by

>start shell

% ls -l /var/db/idpd/

 

The NSM should update the attack signatures in the /var/db/idpd/nsm-download directory:

 

drwxrwxrwx  2 root  wheel   512 Apr 11 14:05 nsm-download
drwxr-xr-x  3 root  wheel   512 Jul 12 14:38 sec-download

 

A workaround may be to configure the root user for nsm access.

 

bye

Markus

Trusted Contributor
markpr
Posts: 70
Registered: ‎01-23-2008
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

I can confirm this too, we ran into the same issue and it's probably the same in all releases of JunOS (we saw this in 10.2). The file permissions on that directory are that the "root" user has write access, and so non-root netconf users attempts to update the attack DB fail with a permissions error.

 

I think that a solution may be required in JunOS so that a non-root netconf user can deliver the attack db to the device and have it integrated. At the moment, your options are to change directory perms, group id on your user or to use "root" for your NSM connection. We did not open a bug or enhancement request on this one, but if you do we'd add support to the case notes too.. just PM me.

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

Thank you for your feedback, I will keep this in mind on Monday when I meet with our sales team, an "NSM expert," and a regional SRX expert.

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

If there's any other NSM related feedback you'd like me to address send me a PM before Monday.

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis


ecables wrote:

If there's any other NSM related feedback you'd like me to address send me a PM before Monday.


 

Just hand him a print out of this thread:

 

http://forums.juniper.net/t5/Security-Management/Want-some-examples-why-NSM-is-a-piece-of-junk/m-p/1...

 

While he reads, please make a photo of his face and post it here. 

 

Thanks.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
mbrandt
Posts: 17
Registered: ‎10-30-2008
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

Hi all,

 

I updated my NSM to 2010.4q47 with Schema 199 and the idp update works fine now.

We're using JunOS 10.4R3 on a SRX3400.

 

Best regards

Markus

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

Was 2010.4q47 just released?  Is this the new "recommended" version of NSM?

Contributor
mbrandt
Posts: 17
Registered: ‎10-30-2008
0

Re: Unable to update the attack DB from NSM -> SRX240 Virtual Chassis

Hi,

 

2010.4q47 is a "Patch-Release" for NSM 2010.4.

I got it by opening a case with JTAC.

 

bye

Markus

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.