Security

I've been away from the wonderfull world of NSM for a while. I got the latest schema on but still cant import 11.4. Anyone know when it will be added ?

Don't hold your breath. Next major release won't be available before end of Q1 next year. And schema-updates are only part of the truth. For example, Junos supports nested object groups since 11.1, but even with the lates schema-update NSM still rips nested groups apart and writes "legacy configuration" to the device. Really nice stuff happens when you import that back into NSM....

Yipes.. I have 2 greenfield SRX650s . I guess I wont be nesting groups but hope to get the schema update soon for NSM.

 

Thanks 

---

@Jickfoo wrote:

Yipes.. I have 2 greenfield SRX650s . I guess I wont be nesting groups but hope to get the schema update soon for NSM.

 

Thanks 

---

Maybe you don't need nested groups, but maybe you need to be able to upgrade a SRX in virtual chassis mode to a new version? not supported in NSM. Maybe you want to use new features of 11.1/2/4 like finally being able to use in-band cluster upgrade? not supported in NSM. there is so much more. NSM and SRX just don't fit together.

 

 

Got this back from support

 

"Currently the highest supported release on the NSM is 11.2R3.3 with schema 215.

The 11.4 version would be supported in next one or two schema releases which could take a maximum of one month."

 

So, I guess 1/1/2012 I'll check it again.

 

Thanks,

Justin

---

@Jickfoo wrote:

Got this back from support

 

"Currently the highest supported release on the NSM is 11.2R3.3 with schema 215.

The 11.4 version would be supported in next one or two schema releases which could take a maximum of one month."

 

So, I guess 1/1/2012 I'll check it again.

 

Thanks,

Justin

---

Did they also mention whether the new schemas really USE the new features or just support them (like writing out nested groups to the SRX instead of flattening them out)?

So far with the SRX line, I wouldn't trust a JUNOS release until the NSM supported schema comes out anyway (takes a month minimum)... the r1 releases are notorious for bugs due to them containing new features. r3 releases and higher tended to be fairly reliable.

Looks like it has been added. I can add the device but am running into the standard nonsense. The device wont connect and update NSM with it's config. In the screen devices there was a command line option I could add. It basically pointed the firewall to NSM and told it to connect. Poking through the GUI, I dont see anything about NSM.

 

Does anyone if there is a command like this for Junos ?

---

@Jickfoo wrote:

Looks like it has been added. I can add the device but am running into the standard nonsense. The device wont connect and update NSM with it's config. In the screen devices there was a command line option I could add. It basically pointed the firewall to NSM and told it to connect. Poking through the GUI, I dont see anything about NSM.

 

Does anyone if there is a command like this for Junos ?

---

There isn't. Unlike ScreenOS, Junos is not even aware about the existance of NSM. You have to add the device through NSM.

 

Yea, I did, but NSM doesnt import the config.

Tried these instructions , It appears Junos does know about NSM. Still doesnt work though.

 

- Set the Device Admin User Name and Password which are used for SSH connection.  

- Set One-Time Password which is used for first connection from device to NSM server.  

- Follow these steps to finish adding the new device:

 

1. Log into the command line interface on the device   

2. Go to the edit mode in the command line interface   

3. Configure the device to connect to NSM. Execute the following CLI commands.   

4. set system services outbound-ssh client nsm device-id 257712   

5. set system services outbound-ssh client nsm secret <one-time-password>   

6. set system services outbound-ssh client nsm 10.x.xxx.xxx port 7804   

7. set system services outbound-ssh client nsm services netconf   

8. commit   

9. The device will immediately attempt to connect to NSM.

 

 

Usually, what I do: I add the device from NSM. It will automatically do all the one-time-password and other config for you. So instead of adding all that stuff through the CLI and then try to connect to NSM, all I do is add a NSM user to the SRX, enable SSH access and then go to NSM and use the "Add Device" function there. Usually that does everything.

I'm working with support now. There is some weird problem. NSM shows ' device-id mismatch '

 

Logs show. No record found in database for this incoming connection, Could be wrong device-id or it is removed by user.inside. blah blah blah Device ID is 0 .

 

Even though its not. Smells like a bug to me. SRX 650 on 11.4 were just added to support.

Ok, so its been over 3 months. I'm assuming Juniper has fixed this so I am giving it another shot. Rebuilt NSM from scratch and am applying 228 the latest schema as we speak. Any guesses as to whether I'll be able to manage my SRX650s or not ?

Found this article:

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Cluster-NSM-Example/td-p/53388 

 

Added my 650 cluster as a Virtual Chassis. It worked. Policies are imported. Havent really done anything with it yet but at least I see the device and the config in NSM.

If I were you, I would wait a couple of more weeks. NSM 12.1 will be here soon. It will have enhanced support for managing SRX devices. For example, NSM will finally be able to recognize when a SRX has changed (e.g. through local comman-line config changes). The real advise though is to delete NSM alltogether - since you are building from scratch it shouldn't be so painful - and wait for the release of Junos SPACE 12.1. It will be released in May. It eats NSM for breakfast and will be the first release that will be able to more or less completely replace NSM (except for logging). I've seen it and I was impressed.