在使用NSM时,我一直在处理瞻博网络SRX IDP错误。主要是这些错误是由损坏的签名数据库或SRX本身上的存储空间引起的。这是我遇到的最新一个。

症状
从空间,如果我对防火墙策略进行了新的更改并将其推向网关,我将获得以下错误。

它说“没有为主动策略中国体育彩票开奖的规则库”,它第一次看到此消息时是错误的。 IDP政策通常在这里很好。

[Error] Configuration update failed. 

Severity : error            At : [edit security idp] Message : 没有中国体育彩票开奖为活动策略的规则库 
  Details : idp-policy Space-IPS-Policy Severity : error Message : configuration check-out failed 



To view the full error message,Click here
<commit-results>
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<source-daemon> idpd </source-daemon>
<error-path> [edit security idp] </error-path> <error-info>
<bad-element> idp-policy Space-IPS-Policy </bad-element> </error-info>
<error-message> 没有中国体育彩票开奖为活动策略的规则库 </error-message> </rpc-error>
<rpc-error>
<error-type>protocol</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity>
<error-message> configuration check-out failed </error-message>
</rpc-error>
</commit-results>

来自命令行:

{primary:node1}[edit]
[email protected]# 

{primary:node1}[edit]
[email protected]# commit 
[edit security idp]
  'idp-policy Space-IPS-Policy'
    没有中国体育彩票开奖为活动策略的规则库
error: configuration check-out failed

{primary:node1}[edit]
[email protected]# 

基于KB26964,它是IDP错误消息,它与IDP签名数据库有关。

在这种情况下,出于某种方式,两个节点都没有相同的攻击数据库版本。

[email protected]> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3004(Thu Nov  9 12:12:06 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

{secondary:node0}

解决方案

1.禁用IDP并安装策略。 
它从命令行工作,但它不是我们想要的理想解决方案。如果您有限的时间来实现变更,它将有所帮助。 

[email protected]# deactivate security idp 

{primary:node1}[edit]
[email protected]# commit check 
node1: 
configuration check succeeds
node0: 
configuration check succeeds

2.重新安装攻击DB
2.1直接从互联网安装
如果您的设备具有Internet访问权限,则需要从SRX中删除攻击DB并重新安装它。

[edit]
root# run start shell user root
##Type the root password and delele the files:
root% rm -rf /var/db/idpd/sec-download/*
##Install either a previous version of the attack DB or the latest version:
root> request security idp security-package download version 2232 full-update

root> request security idp security-package install
##Set the active policy as Recommended and then commit the configuration; it should be successful this time. 
root# set security idp active-policy Recommended
root# commit
##Check the policy commit status:
root # run show security idp policy-commit-status

2.2从Junos Space安装
删除所有DB文件,然后再次将最新攻击DB推动。

2.3从另一个节点复制
在我的情况下,由于节点0具有最新的IDP攻击DB,只需将其从节点0复制到节点1以确保都具有相同的攻击DB,问题可以解决。

[email protected]> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3004(Thu Nov  9 12:12:06 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

[email protected]% rcp -r -T /var/db/idpd/* node1:/var/db/idpd/


[email protected]%
[email protected]%
[email protected]% cli
{secondary:node0}
[email protected]> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC)
  Detector version :12.6.160170603
  Policy template version :N/A

如果其中一个集群成员在其上有正确版本,则此方法可以修复大多数IDP攻击DB问题。

经过 Jon.

发表评论