在使用NSM时,我一直在处理瞻博网络SRX IDP错误。主要是这些错误是由损坏的签名数据库或SRX本身上的存储空间引起的。这是我遇到的最新一个。
症状
从空间,如果我对防火墙策略进行了新的更改并将其推向网关,我将获得以下错误。
它说“没有为主动策略中国体育彩票开奖的规则库”,它第一次看到此消息时是错误的。 IDP政策通常在这里很好。
[Error] Configuration update failed. Severity : error At : [edit security idp] Message : 没有中国体育彩票开奖为活动策略的规则库 Details :idp-policy Space-IPS-Policy Severity : error Message : configuration check-out failed
To view the full error message,Click here<commit-results>
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<source-daemon> idpd </source-daemon>
<error-path> [edit security idp] </error-path> <error-info>
<bad-element> idp-policy Space-IPS-Policy </bad-element> </error-info>
<error-message> 没有中国体育彩票开奖为活动策略的规则库 </error-message> </rpc-error>
<rpc-error>
<error-type>protocol</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity>
<error-message> configuration check-out failed </error-message>
</rpc-error>
</commit-results>
来自命令行:
{primary:node1}[edit] [email protected]# {primary:node1}[edit] [email protected]# commit [edit security idp] 'idp-policy Space-IPS-Policy' 没有中国体育彩票开奖为活动策略的规则库 error: configuration check-out failed {primary:node1}[edit] [email protected]#
基于KB26964,它是IDP错误消息,它与IDP签名数据库有关。
在这种情况下,出于某种方式,两个节点都没有相同的攻击数据库版本。
[email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A {secondary:node0}
解决方案
1.禁用IDP并安装策略。
它从命令行工作,但它不是我们想要的理想解决方案。如果您有限的时间来实现变更,它将有所帮助。
[email protected]# deactivate security idp {primary:node1}[edit] [email protected]# commit check node1: configuration check succeeds node0: configuration check succeeds
2.重新安装攻击DB
2.1直接从互联网安装
如果您的设备具有Internet访问权限,则需要从SRX中删除攻击DB并重新安装它。
[edit] root# run start shell user root ##Type the root password and delele the files:
root% rm -rf /var/db/idpd/sec-download/*
##Install either a previous version of the attack DB or the latest version:
root> request security idp security-package download version 2232 full-update root> request security idp security-package install
##Set the active policy as Recommended and then commit the configuration; it should be successful this time.
root# set security idp active-policy Recommended root# commit
##Check the policy commit status: root # run show security idp policy-commit-status
2.2从Junos Space安装
删除所有DB文件,然后再次将最新攻击DB推动。
2.3从另一个节点复制
在我的情况下,由于节点0具有最新的IDP攻击DB,只需将其从节点0复制到节点1以确保都具有相同的攻击DB,问题可以解决。
[email protected]> show security idp security-package-version
node0:
--------------------------------------------------------------------------
Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
Detector version :12.6.160170603
Policy template version :N/A
node1:
--------------------------------------------------------------------------
Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC)
Detector version :12.6.160170603
Policy template version :N/A
[email protected]% rcp -r -T /var/db/idpd/* node1:/var/db/idpd/ [email protected]% [email protected]% [email protected]% cli {secondary:node0} [email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A
如果其中一个集群成员在其上有正确版本,则此方法可以修复大多数IDP攻击DB问题。