08-11-2011 11:07 PM
I'm running NSM 2011.1, and 11.1R3.5 on an SRX240H-POE Virtual Chassis. When I attempt to push the Attack DB from NSM to the VC I get the following failure message:
Error Text: Attack/Detector Update exception
Error Details: Error information from the device : Write to destination file (/var/db/idpd/sec-download/libidp-detector.so.tgz.v_5230) failed: Permission denied
Error Severity error
NSM uses the 'admin' user id, which is configured as a super-user on the SRX. Is there something I'm missing here?
08-11-2011 11:54 PM
Hi, sounds like a nsm bug.
The NSM tries to write in the sec-download directory, but it is only writable by the srx root user.
You can verify this by
% ls -l /var/db/idpd/
The NSM should update the attack signatures in the /var/db/idpd/nsm-download directory:
drwxrwxrwx 2 root wheel 512 Apr 11 14:05 nsm-download
drwxr-xr-x 3 root wheel 512 Jul 12 14:38 sec-download
A workaround may be to configure the root user for nsm access.
08-12-2011 07:49 AM
I can confirm this too, we ran into the same issue and it's probably the same in all releases of JunOS (we saw this in 10.2). The file permissions on that directory are that the "root" user has write access, and so non-root netconf users attempts to update the attack DB fail with a permissions error.
I think that a solution may be required in JunOS so that a non-root netconf user can deliver the attack db to the device and have it integrated. At the moment, your options are to change directory perms, group id on your user or to use "root" for your NSM connection. We did not open a bug or enhancement request on this one, but if you do we'd add support to the case notes too.. just PM me.
08-12-2011 09:35 PM
Thank you for your feedback, I will keep this in mind on Monday when I meet with our sales team, an "NSM expert," and a regional SRX expert.
08-15-2011 04:00 AM
If there's any other NSM related feedback you'd like me to address send me a PM before Monday.
Just hand him a print out of this thread:
While he reads, please make a photo of his face and post it here.
08-19-2011 05:04 AM
I updated my NSM to 2010.4q47 with Schema 199 and the idp update works fine now.
We're using JunOS 10.4R3 on a SRX3400.