Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NSM ISG2000 IDP signature Update issue

    Posted 01-14-2017 00:51

    Hi every one.

    recently i have a strange problem in updating my isg 2000 IDP signatures with NSM. last week i updated my idp modules with latest signatures via offline method which is downloading two files:

    1-NSM-SecurityUpdateInfo.dat

    2-NSMFP14-DI-IDP.zip

     

    generally I place these two files in nsm and then go through the update wizard to update the idp signatures.

    recently i have downloaded these two files and this time i faced an error message that prevented the wizard to complete the update . i have attached error screenshot.

    after this error message which is general java error for which it seems that it could apperar for several reasons i investigated the NSM-SecurityUpdateInfo.dat file and i saw strange thing.

    in older versions of this .dat file there is lots of texts about different versions of signature update files for example (NSMFP14-DI-IDP.zip , NSMFP15-DI-IDP.zip NSMFP17-DI-IDP.zip , ....)

    in this new .dat file there is nothing but only about NSMFP17-DI-IDP.zip file.  (you can open .dat file via word or any text editor)

     

    problem is my nsm is ver 2010.3 and for this version im using NSMFP14-DI-IDP.zip file.  also i think NSMFP17-DI-IDP.zipis for newer nsm version!(i dont know if any one can tell me the deference)

    this is download link for those two files:

     

    https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat

    https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSMFP14-DI-IDP.zip

     

    i also tried to update idp sig with this new .dat file and sig update NSMFP17-DI-IDP.zip but i get same error message in attachment.  i think these error has to be something with this new .dat file format which i dont understand why juniper changed this file content. i also attached an older version of  NSM-SecurityUpdateInfo.dat int the attachemnts which you can see is much richer than this new dat file that you can download it from above url. (i also tried to alter old .dat file and use it with new sig update file with No luck!)

     

    please help me to resolve this strange problem. thanks 

     

    Attachment(s)

    doc
    old-NSM-SecurityUpdateInfo.dat.doc   4 KB 1 version


  • 2.  RE: NSM ISG2000 IDP signature Update issue

     
    Posted 01-14-2017 02:50

    Hi Sevan,

     

    I thnk you are using very old version of NSM:2010.3. As per TSB17019 signature update is EOL for below products version.

     

    PRODUCT AFFECTED:

    High End SRX Versions 9.2 through 12.1R2
    Branch SRX versions 9.4 through 12.1R2
    J-Series versions 9.5 through 12.1R2
    MX versions 9.5 through 11.4
    NSM versions released prior to 2012.2R1

     

    Fore more information please refer the below mentioned link :

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17019&smlogin=true&actp=search

     

    I would recommend you to upgrade the NSM to latest version and then test.

     


    [KUDOS PLEASE! If you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

    Regards,

    Rishi 

     

     



  • 3.  RE: NSM ISG2000 IDP signature Update issue

    Posted 01-14-2017 04:29

    Hi Rishi ,

     

    thanks for your reply. you are right about my NSM version but the fact is despite of my old NSM version i was able to update my IDP till last week just before change of  the 'NSM-SecurityUpdateInfo.dat'  file that i mentioned in my earlier post.



  • 4.  RE: NSM ISG2000 IDP signature Update issue

     
    Posted 01-14-2017 04:57

    Hi Sevan,

     

    I do understand that but there are some changes which have been made as per the EOL which might be causing this issue.

     

    I would recommend you to upgrade the version and than let me know if the issue is still persistent, I will take it further .

     

    Regards,

    Rishi



  • 5.  RE: NSM ISG2000 IDP signature Update issue

    Posted 01-15-2017 00:29

    Thanks Rishi

     

    accourding to your guidance and documentations im convinced to upgared my nsm and i think its right thing to do. but i have questions for this upgrade thing.

     

    1- my nsm is 2010.3 and if i upgrade from current release what will happen to my installed license files?(i have 25 device license installed on my nsm)

     

    2- how can i export my license files from current nsm if i need to do clean install?

     

    3- according to nsm 2012.2 release note i should go to 2010.3S first and then i can go to 2012.2 .my linux is Redhat Enterprise 5.4  so whcih one of this files i have to download and execute on my server to go to 2010.3S1 ?

     

    Central Manager upgrade MD5 SHA1 2010.3s1 zip 1,022,355,754 01 Dec 2011
    Linux Server MD5 SHA1 2010.3s1 zip 1,176,388,021 01 Dec 2011
    Linux System Update utilities MD5 SHA1 2010.3s1 zip 77,973,357 01 Dec 2011
    Linux UI client MD5 SHA1 2010.3s1 zip 156,077,423 01 Dec 2011
    Offline Server upgrade MD5 SHA1 2010.3s1 zip 201,833,135 01 Dec 2011
    Regional Server upgrade MD5 SHA1 2010.3s1 zip 1,191,639,748 01 Dec 2011
    Solaris Server MD5 SHA1 2010.3s1 zip 1,269,869,762 01 Dec 2011
    Solaris System Update utilities MD5 SHA1 2010.3s1 zip 19,042,157 01 Dec 2011
    Windows UI client

     

    4- after upgrade to 2010.3S1 which of these files stated in table "Tools - CentOS5.7" in 2012.2 download page i need to download and execute?

     

    Tools - CentOS5.7 Checksum Release Format Size File Date
    CentOS Upgrade and Update Recovery Partition Script_v1 MD5 SHA1 2012.2 sh 7,093 28 May 2013
    NSM Appliance Generic Offline Upgrade Package_v1 - CentOS 5.x! MD5 SHA1 2012.2 zip 570,126,288 08 Jul 2013
    NSM Appliance Generic Offline Upgrade Package_v2 - CentOS 5.x! MD5 SHA1 2012.2 zip 587,769,698 09 Dec 2013
    NSM Appliance Generic Offline Upgrade Package_v3 - CentOS 5.x! MD5 SHA1 2012.2 zip 590,550,810 30 Sep 2014
    NSM Appliance Generic Offline Upgrade Package_v4 - CentOS 5.x MD5 SHA1 2012.2 zip 592,772,548 24 Apr 2015
    NSM Appliance Generic Online Upgrade Script_v1! MD5 SHA1 2012.2 sh 37,730 08 Jul 2013
    NSM Appliance Generic Online Upgrade Script_v2! MD5 SHA1 2012.2 sh 40,629 09 Dec 2013
    NSM Appliance Generic Online Upgrade Script_v3_CentOS5.x! MD5 SHA1 2012.2 sh 45,155 30 Sep 2014
    NSM Appliance Generic Online Upgrade Script_v4_CentOS5.x MD5 SHA1 2012.2 sh 46,570 24 Apr 2015
    NSM Appliance ISO CentOS5.7_v1! MD5 SHA1 2012.2 zip 636,554,990 24 May 2013
    Update Recovery Partition ISO for CM Server_v1 MD5 SHA1 2012.2 zip 1,877,769,277 24 May 2013
    Update Recovery Partition ISO for RS Server_v1

    * what is V1 and V2 V 3 V4 differences? do i need both?

     

    5- and my final question, in above table it says NSM Appliance generic offline, my nsm server is ordinery HP server and not Appliance so is it ok? or i need to download some other files?

     

    i can just say Big Thank you for the Time you spend for answering my Questions . thank you



  • 6.  RE: NSM ISG2000 IDP signature Update issue

     
    Posted 01-18-2017 06:57

    Hi Seven,

     

    Generally if the number of devices managed by  NSM are less than 25 then it is base license used on that server. When you need to manage more than 25 device you need to purchase additional license. 

     

    on your NSM CLI you can naviagate to /var/netscreen/GuiSvr/License and check if you see license.txt there, If yesmove it to your PC using WINSCP. If no you can assume that it is the base license and proceed with the upgrade.

     

    You need to use the below mentioned file for the linux server:

     

    Linux Server MD5 SHA1 2010.3s1 zip 1,176,388,021 01 Dec 2011
    Linux System Update utilities MD5 SHA1 2010.3s1 zip 77,973,357 01 Dec 2011

     

     

    The files you have mentioned in question#4 are for hardware appliance, for linux server you need download the same above file from 2012.2 section.

     

    [KUDOS PLEASE! If you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

    Regards,

    RIshi

     

     

     

     



  • 7.  RE: NSM ISG2000 IDP signature Update issue

    Posted 01-21-2017 21:29

    Hi Rishi

     

    i want to say thank you for all your effort in helping me through this. you helped me so much. for final question as i red the documents i assume these things are correct. can you verify:

     

    1- because i have no appliance and im in linux server so i can go straight to 2012.2 from 2010.3 with using 'Linux System Update utilities' and 'Linux Server'  and no need to go to 2010.3S1 (if i had appliance i should have but i dont)?

     

    and as you saied i checked my nsm and the path you mentioned and im sure that im using base license so every thing is ok for upgrade. thanks



  • 8.  RE: NSM ISG2000 IDP signature Update issue
    Best Answer

     
    Posted 01-22-2017 12:38

    Hi Sevan ,

     

    I request you to please refer the Page-16 for the recommended upgrade paths to 2012.2 following the below mentione link :

     

    http://www.juniper.net/techpubs/software/management/security-manager/nsm2012_2/nsm2012_2_release_notes.pdf

     

    Documentation:

    http://www.juniper.net/techpubs/en_US/release-independent/nsm/information-products/pathway-pages/central-manager/product/index.html

     

    Please let me know if you have further queries.

     

    Regards,

    Rishi 

     

    [KUDOS PLEASE! If you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

     

     



  • 9.  RE: NSM ISG2000 IDP signature Update issue

    Posted 02-12-2017 02:38

    Thanks Rishi for your effort and helpful guidance.