SRX Services Gateway
Highlighted
SRX Services Gateway

IDP Policy Templates Commit Script Error

‎08-21-2013 08:34 AM

Hi,

 

I have downloaded and installed IDP and associated Signatures onto a box running JUNOS [11.4R5.5]

 

After applying the template to the config I get the below, never really ran into this before and thinking it may be a bug?

 

Any ideas?

 

user@srx#set system scripts commit file templates.xsl

user@srx# commit check


/dev/null:60:(36) Opening and ending tag mismatch: login line 36 and commit-script-input
/dev/null:61:(4) Premature end of data in tag system line 4
/dev/null:61:(2) Premature end of data in tag configuration line 2
/dev/null:61:(1) Premature end of data in tag commit-script-input line 1
error: error reading configuration: /dev/stdin
error: 5 errors reported by commit scripts
error: commit script failure



user@srx# run show security idp security-package-version
  Attack database version:2291(Mon Aug 19 18:34:44 2013 UTC)
  Detector version :12.6.160130715
  Policy template version :2291

 



MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
7 REPLIES 7
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

‎08-22-2013 04:25 AM

I upgraded to 11.4R7.5 Recommended Release also and its the same.

 

Anyone? :-O

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

‎08-22-2013 07:18 AM

This sounds like an issue with the parsing of template file.

Was there any change made to templae.xsl or any of the xml files?

 

I would try deleting all the configuration or cleanup of config directory like below:

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB24684

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

[ Edited ]
‎08-22-2013 08:16 AM

Hi,

 

The templates.xsl has not been modified in any way.  It does look like a parsing issue.

 

I have tried clearing the config directory and also I have removed IDP as below.

 

I removed the following, redownloaded everything and the same error!  :-s

 

rm -rf /cf/var/db/scripts/commit/*
rm -rf /cf/var/db/idpd/db/*
rm -rf /cf/var/db/idpd/sec-download/*
rm -rf /cf/var/db/idpd/nsm-download/*
rm -rf /cf/var/db/idpd/sec-repository/*

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway
Solution
Accepted by topic author MMcD
‎08-26-2015 01:27 AM

Re: IDP Policy Templates Commit Script Error

‎11-19-2013 03:55 AM

Hi, just following up on this in case it ever helps anyone, basically the system message banner had characters causing the IDP commit script to fail upon parsing the config.

 

The exact message is below, the ▒▒▒ characters were somehow put in place during an upgrade( I cant see a user actually putting these in!), replacing blank spaces in the config.

 

A second SRX has the exact same banner message but does not display the oddball characters.

 

*********************************** Warning ************************************                                                       *▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒*                                                       * You are about to access a protected resource. Unauthorized Persons will be   *                                                       * prosecuted to the fullest extent of the law. This will be your only warning. *                                                       *▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒*                                                       ********************************************************************************

 

Hope it help!

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

[ Edited ]
‎11-20-2013 04:46 PM

You can also use \n to perform a carriage return as well:

 

set system login message "\nUNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.\n\nYou must have explicit permission to access or configure this device.\nAll activities performed on this device may be logged, and violations\nof this policy may result in disciplinary action,and may be reported to\nlaw enforcement. There is no right to privacy on this device.\n\n"

 Which will produce:

 

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device.
All activities performed on this device may be logged, and violations
of this policy may result in disciplinary action,and may be reported to
law enforcement.  There is no right to privacy on this device.

 Unless I'm missing something else.

---
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCSP-ENT, JNCIS-SP, JNCDS-DC, JNCDS-SEC
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

‎11-21-2013 04:32 AM

Hi Clay,

 

Of course that is a much cleaner method of creating a banner!  When the IDP commit script was parsing the back end XML, it coundn't t handle this character, which I now know to be Unicode Character 'Medium Shade' (U+2592).  I assume there is quite a lot more it cant handle

 

How they got there instead of spaces, I dont know, I'm told they were copied from an old unit.

 

What exact characters are valid in the banner (and other places) I am not sure, havent looked into it.

 

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: IDP Policy Templates Commit Script Error

‎11-21-2013 04:37 AM

We will try to document this in Juniper KB article for others Juniper product users to use it.

 

--Cheers

Dipanshu