ScreenOS Firewalls (NOT SRX)
Reply
Visitor
DrewCooper
Posts: 5
Registered: ‎01-04-2009
0

Problems with DI subscription

I'm setting up a new SSG140 which will be used to segregate a couple of internal subnets.  As such it only has internet access via our corporate HTTP/SSL proxy.

 

I'm trying to get Deep Inspection set up.  I've purchase and received the subcription key, and registered it on the Juniper site.

 

I've set up the proxy info for the subscription updates:

set pattern-update proxy http <IP address>:<port>

set pattern-update proxy ssl <IP address>:<port>

set attack db pattern-update use-proxy 

When I try updating the DI signatures I get the following:

vfp-mev-01:fp99-502a(M)-> exec attack update

Signature update key is missing.

Error contacting attack database server.

Failed command - exec attack update

vfp-mev-01:fp99-502a(M)-> exec attack-db update

Signature update key is missing.

Error contacting attack database server.

Failed command - exec attack-db update

I've checked my license as follows:

vfp-mev-01:fp99-502a(M)-> get license

Model: Advanced

Sessions: 48064 sessions

Capacity: unlimited number of users

NSRP: ActiveActive

VPN tunnels: 500 tunnels

Vsys: None

Vrouters: 6 virtual routers

Zones: 30 zones

VLANs: 100 vlans

Drp: Enable

Deep Inspection: Enable

Deep Inspection Database Expire Date: Disable

Signature pack: Signature update key is missing

IDP: Disable

AV: Disable(0)

Anti-Spam: Disable(0)

Url Filtering: Disable

 

Update server url: nextwave.netscreen.com/key_retrieval

License key auto update : Disabled

Auto update interval : 0 days

Trying to update the license details gives the following:

vfp-mev-01:fp99-502a(M)-> exec license update

The device was unable to reach the entitlement server to retrieve license keys

Failed command - exec license update

Using a packet capture tool I was able to see the SSG device query DNS for the nextwave.netscreen.com host, rather than contact it via the proxy.

 

What am I missing?

 

Thanks in advance,

 

Andrew

Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008
0

Re: Problems with DI subscription

Make sure your clock is correct on your firewall.  This will cause issues like this.

 

 

-=Q
Visitor
DrewCooper
Posts: 5
Registered: ‎01-04-2009
0

Re: Problems with DI subscription

The clock is correct.   It's set by NTP.

 

I think the real issue I have is that I can't get the device to use a proxy server to contact the Entitlement Server.  It's trying to get to the Entitlement Server directly, which it can't do from behind our corporate firewall.

Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008
0

Re: Problems with DI subscription

I see, you did say that and I overlooked it.  So, yeah, that's a bit of a problem isn't it.

 

Besides allowing connectivity, I don't know that you can do anything about that.

 

 

-=Q
Trusted Contributor
Arkus
Posts: 70
Registered: ‎02-11-2008
0

Re: Problems with DI subscription

Hi Drew,

 

I'm not much of a DI expert, but does this article help? It discusses your problem (proxy access, offline DI signatures) and has an extra step: KB4838

 

http://kb.juniper.net/index?page=content&id=KB4838&actp=search&searchid=1233665540431

 

Regards

Andy

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Problems with DI subscription

It seems your issue is specifically with enabling your license key. You mentioned that you received your license key. If you have the key string, you can manually enter it into your SSG. Here's an excerpt from ScreenOS Concept & Examples Guides, Fundamentals volume.

 

3. The Juniper License Management System provides the license key in one of two
ways:

  • Download the license key to your computer.
  • Receive an email that contains your license key.

4. Install the license key in one of the following ways:

 

WebUI
  Configuration > Update > ScreenOS/Keys > Select License Key Update
  (Features) > click Browse > select the file with the license key,

  then click Apply.

 

CLI
  exec license-key <key_num>

 

 

Once the license key is enabled then I suspect that you will be able to retrieve your DI signatures.

 

-Richard

Visitor
DrewCooper
Posts: 5
Registered: ‎01-04-2009
0

Re: Problems with DI subscription

Thanks.  I must have missed that section in my reading.  In the mean time I've managed to connect the device to an open Internet connection and obtain the key that way.  I'll this method when it comes time to renew the key next year.

 

Once I got the license installed I reconnected the device to our network and was unable to get the signature updates via our proxy.  I set up the proxy address and port correctly, and in a packet capture I caould see the device talking to our proxy server, but it's inital request appeared to be encrypted and the proxy server rejected the query.  It's not a show-stopper because I've been able to load the signature database manually.  But it's gong to be painful keeping it up-to-date if I can't get the automatic updates working.

Juniper Employee
LicensingGuy
Posts: 8
Registered: ‎06-17-2008
0

Re: Problems with DI subscription

[ Edited ]

RE: Manually obtaining subscription license keys.  The procedure described above for generating license keys for ScreenOS devices applies to non-subscription keys.  Subscription (AV, DI, WF, AS) keys work a bit differently. 

 

Once a subscription Authorization Code and a ScreenOS device serial number is presented to the License Management System (LMS), LMS waits for the device to contact it before it actually generates a subscription key.  The LMS user cannot force a key to be generated.  LMS requires a device to contact it via the internet before it generates a subscription key.   Thus there is no key to be downloaded or emailed, until the device initially contacts LMS requesting a key.  Once LMS does receive this request, the key(s) can be found using the LMS search capability, and then the key(s) can be emailed or downloaded.  This behavior also applies to keys generated as a result of subscription renewals.  LMS must be contacted via the internet before it generates the renewal keys.

 

As a workaround, the following procedure can be used.  This procedure generates keys with end dates based on active LMS subscription entitlements.  LMS validates the serial number of the device. 

 

Procedure:

1)  Log on to LMS.

2)  Type in the browser the following URL.  Replace the correct serial number.

 https://www.juniper.net/lcrs/reflex/mylicense.do?serial=<SERIAL_NUMBER> 

3)  If all is correct, the browser will respond with the subscription key(s). 

   a.  Using LMS search capability, these keys are now available to be downloaded or emailed

   b.  Previous subscription keys for the appliance will be archived in LMS.

4)  If there is an error, the browser will display an error condition. 

 

Error Condition:  The serial# is NOT valid (wrong device# or mistyped)
Internet Explorer shows:  Error 400 – Bad Request message
Firefox shows:  “Invalid Serial Number” message

 

Error Condition: The serial# is valid but the has NO active or valid entitlements (e.g.., the subscription end dates have passed)
Internet Explorer shows:  Error 500-Internal Server Error message (System Down)  IF YOU RECEIVE THIS ERROR, PLEASE DO NOT CALL REPORTING THE SYSTEM IS DOWN.
Firefox shows:  BLANK browser with NO message

Message Edited by LicensingGuy on 03-06-2009 05:31 PM
Message Edited by LicensingGuy on 03-06-2009 05:32 PM
Message Edited by LicensingGuy on 03-06-2009 05:33 PM
Message Edited by LicensingGuy on 03-06-2009 05:56 PM
Message Edited by LicensingGuy on 03-06-2009 05:57 PM
Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: Problems with DI subscription

Did you ever run a 'debug httpfx all' when you tried to update via the proxy?  If so, can you post it here?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.