NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

last person joined: yesterday

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

Back to discussions

Expand all | Collapse all

NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

Jump to Best Answer

1. NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

0 Recommend
samc
Posted 10-11-2012 06:05

Reply Reply Privately
Hello.

We have multiple ISG devices with security modules installed, but we are no longer using. Even though we have no IDP policies defined, NSM always does a "compile IDP policy" during device updates. This doubles the amount of time it takes to update the ISGs.

Is there a way to prevent NSM from doing this?

Thanks,

Sam
2. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?
Best Answer

0 Recommend
Erdem
Posted 10-13-2012 01:30

Reply Reply Privately
Hi,

There is one patch available for 2010.4 with JTAC which will check if there is an update pushed for IDP or not. If there is no configuration pushed for IDP NSM will not calculate the IDP policy. Related PR # 793996.

Regards,

Asad
3. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

0 Recommend
samc
Posted 10-13-2012 06:11

Reply Reply Privately
Thanks for the reply.

Are you able to provide additionals details on the PR?

Specifically, is PR793996 fixed in 2011 release?

We're running 2010.4q16 -- is the patch already part of this service release?

Regards,

Sam
4. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

0 Recommend
Erdem
Posted 10-16-2012 03:50

Reply Reply Privately
Hi,

You can double check for that with ATAC. I was using 2010.4q32 and for that patch was available. I believe it should be available for q16 aswell.

BR/ Asad
5. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

0 Recommend
samc
Posted 10-17-2012 13:49

Reply Reply Privately
Thank you.

JTAC confirms releases where the issue got resolved. 2012.1s1 2010.3s5 2011.4s2.

Thanks,

Sam

Security

NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

samc10-11-2012 06:05

Erdem10-13-2012 01:30Best Answer

samc10-13-2012 06:11

Erdem10-16-2012 03:50

samc10-17-2012 13:49

1. NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

2. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update? Best Answer

3. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

4. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

5. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?

2. RE: NSM 2010.4 + isg2000(idp) How to keep NSM from compiling IDP policy before device update?
Best Answer