Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Problem for ISG1000

    Posted 04-07-2010 19:38
      |   view attached

     Hi,

     

    I have some problems when managing the ISG1000 using NSM.

     

    1) The Web UI access to Firewall console is sluggish & it is signaficantly slower than expected.  It taks about 10seconds to fully load a page.  The cpu usage is very low.  What could have cause this problem?

     

    2) IDP (IPS) function is turned on (only for ONE firewall policy) for testing & event logging, however the network packet which matchs this firewall rule become very slow and with the ping test pattern as shown below.  

    C:\Documents and Settings\user>ping 10.25.1.35 -t

    Pinging 10.25.1.35 with 32 bytes of data:

    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 10.25.1.35: bytes=32 time<1ms TTL=127
    Reply from 10.25.1.35: bytes=32 time=1ms TTL=127
    Reply from 10.25.1.35: bytes=32 time<1ms TTL=127
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 10.25.1.35: bytes=32 time<1ms TTL=127
    Reply from 10.25.1.35: bytes=32 time=2ms TTL=127

     

    Is it normal after enable IDP?

    3) When I try to update device in the NSM it will earse my modified configuration in the firewall and apply the configuration in the NSM.  Is there any ways to update the NSM from the firewall?  I highlighted this because NSM is running on Java & it is slow to amend firewall configuration & need to put extra effort to update device setting.

    4) There is error when I update the device after enable IDP and "All attack" was select.

    Attachment(s)

    txt
    error log.txt   139 KB 1 version


  • 2.  RE: Problem for ISG1000
    Best Answer

    Posted 04-09-2010 05:40

    Regarding point 3 :

     

    you can do the changes on the firewall then choose  "import  device "   instead of    "update dxevice"

     

    That will copy conf from the   firewall to  the NSM 



  • 3.  RE: Problem for ISG1000

    Posted 04-14-2010 18:00

    Thanks for the reply.

     

    Any idea regarding the error when I enable the IDP in firewall rule with IDP rule "All Attack" selected.

     

    error:

    Reason Codes:

    (7) This attack signature/anomaly is obsolete and not supported by the newer detector on the device.
       The signature will not be updated to the device.
    (3) Attack Group currently has no members.  In the future when predefined
       attacks are defined in their respective categories, these attack groups
       will be updated to the device.  Also, if user defined attacks are created
       with the appropriate filter conditions, they will automatically become
       members of this group.  No further action is required in this case.
    (5) This attack signature/anomaly has not been bound to any attack version.


    The Application Identification was pushed Successfully to Device

     

     

    There are a list of attack with these reason code.  My concern is the attacks that have no problem, will it be update successfully and provide protection?



  • 4.  RE: Problem for ISG1000

    Posted 04-15-2010 05:31

    do a get event and see if you have any critical cpu error messages.

     

    also try a get perf cpu all detail .

     

    not all sigs will load as some are deprected / oudated or simply aren't supported in your version of the detector engine



  • 5.  RE: Problem for ISG1000

    Posted 04-15-2010 23:10

    What about the supported sigs, will it be loaded even with error?