Bagaimana Cara Update IPS Juniper SRX Secara Offline

Dear Juniper Customers,

Buat anda yang lagi bingung bagaimana cara update IPS juniper secara offline, nah tulisan ini saya rasa anda bisa ikuti dengan mudah. Sebetulnya juniper sudah banyak membuat dokumentasi cara update security package juniper srx secara offline, offline update template ips, offline update ips juniper srx cluster dan lain-lain. salah satunya yang paling lengkap dapat anda buka di link ini, Tulisan ini juga mengacau ke dokument tersebut dan saya juga menyarankan anda membaca dokument tersebut dari awal sampai akhir hehehe. Jadi tulisan ini menggunakan perangkat juniper SRX5800 cluster dengan junos version 12.3X48-D30.7. Mari kita ikuti langkah2 berikut:

Langkah 1: Download SignatureUpdate.xml.gz

langkah pertama anda perlu download file SignatureUpdate.xml.gz, ini adalah cara untuk download file signature ips yang paling update nantinya.

https://signatures.juniper.net/cgi-bin/index.cgi?device=srx5800&feature=idp&detector=12.6.140171124&to=latest&os=12.3&build=48&type=update

contoh di atas untuk srx5800 dengan junos 12.3X48-D30.7. jika anda memiliki seri branch maka silakan anda sesuaikan. detailnya berikut ini:

Note:
In the above URL we can observe the following:
For SRX highend device the device names are device=srx3400, srx3600 and so on
For SRX Branch devices the device names are device=jsrx210, jsrx240 and so on
For vSRX the device name is device=firefly-perimeter
os= indicates the SRX JunOS version currently installed from= current downloaded version (if there is no DB it will be null)
to = latest indicates download the latest security package. If not mentioned latest is downloaded
feature = idp (while other values above change – feature never changes)

Langkah 2: Download other required files
Sip, anda tadi sudah berhasil download file SignatureUpdate.xml.gz besed on device srx anda, maka skrng coba extract file tersebut lalu buka via browser atau notepad anda. Contoh isi filenya seperti berikut ini:


  1.0.0
  3064
  Thu May 10 11:06:22 2018 UTC
  https://signatures.juniper.net/xmlupdate/225/ApplicationGroups/3064/application_groups.xml.gz
  https://signatures.juniper.net/xmlupdate/225/ApplicationGroups/3064/application_groups2.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Applications/3064/applications.xsd
  https://signatures.juniper.net/xmlupdate/225/Applications/3064/applications.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Applications/3064/applications2.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Contexts/3064/contexts.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Detector/12.6.140171124/libidp-detector.so.tgz.v
  https://signatures.juniper.net/xmlupdate/225/Filters/3064/filters.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Groups/3064/groups.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Heuristics/3064/heuristics.bin.gz
  https://signatures.juniper.net/xmlupdate/225/Libqmprotocols/1.340.0-57.005/libqmprotocols.tgz
  https://signatures.juniper.net/xmlupdate/225/Platforms/3064/platforms.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Products/3064/products.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Services/3064/services.xml.gz
  https://signatures.juniper.net/xmlupdate/225/Templates/3064/templates.xml.gz
  
    

[output cut]
Download semua file dari url di atas, saya sarankan anda bisa pake downloader sperti idm dan simpan di satu folder yang sama termasuk file SignatureUpdate.xml.gz.
Untuk versi junos 12.3X48-D30.7 pastikan file libqmprotocols.tgz format nya tidak anda rubah nantinya.
Langkah 3: Upload All Package to Juniper SRX
Anda tinggal upload semua file yang anda download tadi ke juniper SRX, jika juniper anda di cluster, cukup upload di salah satu atau di node active, nanti tinggal copy-kan saja  ke node satu lagi. Pada case ini sy tidak bisa langsung upload file nya ke node srx dari komputer sy karena alasan security, maka anda perlu upload dlu ke jump host server nya menggunakan software ftp atau sftp seperti WinSCP, atau FileZilla.
Jika sudah maka tinggal upload lagi ke node srx. Baik step berikut ini sy contohkan cara download (bukan upload) file menggunakan sftp.
a. login dulu ke srx
b. masuk ke shell srx dengan ketik start shell (jika anda tidak menggunakan user root)
c. masuk ke direktory ips dengan ketik cd /var/db/idpd/sec-download, di folder sec-download inilah anda store filenya. jika masih ada file dalam folder sec-download maka anda bisa hapus terlebih dahulu dengan ketik rm *
d.  Dalam folder sec-download terdapat folder sub-download, dalam folder ini anda copy kan dua file SignatureUpdate.xml, templates.xml
e. Login ke sftp server dari srx anda, dan ikuti step selanjutnya sesuai yg saya tunjukkan berikut ini.
user@SRX-1% sftp user@192.168.1.2
Verification code:
Password:
Connected to 192.168.1.2.
sftp> pwd
Remote working directory: /home/user
sftp> cd IPS3064/
sftp> ls
application_groups.xml.gz         libqmprotocols.tar                application_groups2.xml.gz        heuristics.bin.gz
applications.xml                  contexts.xml.gz                   platforms.xml.gz                  groups.xml.gz
applications.xml.gz               filters.xml.gz                    products.xml.gz                   applications2.xml.gz
libidp-detector.so.tgz.v          services.xml.gz                   SignatureUpdate.xml.gz            templates.xml.gz

sftp> get *
sftp> bye
user@SRX-1% gzip -d nama_file(kecuali file libqmprotocols.tgz jangan di gzip)
user@SRX-1% ls -al
total 209476
drwxr-xr-x  3 root  wheel       512 May 16 16:37 .
drwxr-xr-x  8 root  wheel       512 May 16 16:39 ..
-rw-r--r--  1 root  wheel  69449024 May 16 14:38 SignatureUpdate.xml
-rw-r--r--  1 root  wheel    315957 May 16 14:38 application_groups.xml
-rw-r--r--  1 root  wheel    584586 May 16 14:38 application_groups2.xml
-rw-r--r--  1 root  wheel   2181027 May 16 14:38 applications.xml
-rw-r--r--  1 root  wheel   5187079 May 16 14:38 applications2.xml
-rw-r--r--  1 root  wheel    293017 May 16 14:38 contexts.xml
-rwxr-xr-x  1 root  wheel    762985 May 16 16:39 detector-capabilities.xml
-rw-r--r--  1 root  wheel      5232 May 16 14:38 filters.xml
-rw-r--r--  1 root  wheel   5045870 May 16 14:38 groups.xml
-rw-r--r--  1 root  wheel     14545 May 16 14:38 heuristics.bin
-rw-r--r--  1 root  wheel   5536491 May 16 14:38 libidp-detector.so.tgz.v
-rw-r--r--  1 root  wheel  15968207 May 16 16:23 libqmprotocols.tgz
-rw-r--r--  1 root  wheel        83 May 16 16:24 manifest.xml
-rw-r--r--  1 root  wheel       492 May 16 14:38 platforms.xml
-rw-r--r--  1 root  wheel    562054 May 16 14:38 products.xml
-rw-r--r--  1 root  wheel    854005 May 16 14:38 services.xml
drwxr-xr-x  2 root  wheel       512 May 16 14:39 sub-download
-rw-r--r--  1 root  wheel    165525 May 16 14:38 templates.xml

user@SRX-1% pwd
/var/db/idpd/sec-download
user@SRX-1% cp SignatureUpdate.xml /var/db/idpd/sec-download/sub-download/
user@SRX-1% cp templates.xml  /var/db/idpd/sec-download/sub-download/
user@SRX-1% ls sub-download/
SignatureUpdate.xml     templates.xml

f. jika srx anda adalah cluster, maka semua isi folder sec-download perlu anda copy-kan juga ke node satu nya lagi. stepnya seperti berikut ini.

user@SRX-2% rlogin -T node1
user@SRX-2% cd  /var/db/idpd/sec-download/
user@SRX-2% ls
SignatureUpdate.xml             groups.xml
application_groups.xml          libidp-detector.so.tgz.v
application_groups2.xml         libqmprotocols.tar
applications.xml                platforms.xml
applications.xsd                products.xml
applications2.xml               services.xml
contexts.xml                    sub-download
detector-capabilities.xml       templates.xml
filters.xml
root@SRX-2% rm *
rm: sub-download: is a directory
user@SRX-2% cd sub-download/
user@SRX-2% ls
SignatureUpdate.xml     templates.xml
user@SRX-2% rm *
user@SRX-2% ls
user@SRX-2%

anda sudah membersihkan isi folder sec-download di SRX-2. maka anda skrng balik ke SRX-1 lagi,

user@SRX-2% exit
logout
rlogin: connection closed
user@SRX-1%
root@SRX-1-GI-TBS% rcp -r -T /var/db/idpd/sec-download/* node1:/var/db/idpd/sec-download/

user@SRX-2% rlogin -T node1
user@SRX-2% pwd
/cf/root
user@SRX-2% cd /var/db/idpd/sec-download/
user@SRX-2% ls
SignatureUpdate.xml             applications2.xml               groups.xml                      manifest.xml                    sub-download
application_groups.xml          contexts.xml                    heuristics.bin                  platforms.xml                   templates.xml
application_groups2.xml         detector-capabilities.xml       libidp-detector.so.tgz.v        products.xml
applications.xml                filters.xml                     libqmprotocols.tgz              services.xml


user@SRX-2% exit
logout
rlogin: connection closed
user@SRX-1%

jadi jika anda cek di SRX-2 lagi, filenya sudah berhasil anda copy dari SRX-1 ke SRX-2.

Langkah 4:  Install security package di SRX

Pada case ini sy lakukan di srx cluster,

root@SRX-2> request security idp security-package install source-path /var/db/idpd/sec-download node 1
node1:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI


root@SRX-2> request security idp security-package install status node 1
node1:
--------------------------------------------------------------------------
In progress:Installing AI ...

root@SRX-2> request security idp security-package install status node 1
node1:
--------------------------------------------------------------------------
In progress:performing DB update for an xml (SignatureUpdate.xml)

root@SRX-2> request security idp security-package install status node 1
node1:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=3064,ExportDate=Thu May 10 11:06:22 2018 UTC,Detector=12.6.140171124]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : successful

Lakukan juga pada SRX-1

user@SRX-1> request security idp security-package install source-path /var/db/idpd/sec-download node 1
node1:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI


user@SRX-1> request security idp security-package install status node 0
node0:
--------------------------------------------------------------------------
In progress:performing DB update for an xml (SignatureUpdate.xml)


user@SRX-2> request security idp security-package install status node 0
node0:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=3064,ExportDate=Thu May 10 11:06:22 2018 UTC,Detector=12.6.140171124]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : successful

Cek hasil akhir:

Capture sebelum update:

root@SRX-1> show security idp security-package-version
node0:
--------------------------------------------------------------------------

  Attack database version:3047(2018-03-21 17:18:12)
  Detector version :12.6.140171124
  Policy template version :2879

node1:
--------------------------------------------------------------------------

  Attack database version:3047(2018-03-21 17:18:12)
  Detector version :12.6.140171124
  Policy template version :N/A

Capture setelah update:

root@SRX-1> show security idp security-package-version
node0:
--------------------------------------------------------------------------

  Attack database version:3064(Thu May 10 11:06:22 2018 UTC)
  Detector version :12.6.140171124
  Policy template version :2879

node1:
--------------------------------------------------------------------------

  Attack database version:3064(Thu May 10 11:06:22 2018 UTC)
  Detector version :12.6.140171124
  Policy template version :N/A

Demikian tulisan terkait cara update ips juniper srx, smoga bermanfaat buat customer juniper 🙂

 

About the author
Bunyamin

Routecloud Networks

Information about Server, Linux and Computer Network.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Routecloud Networks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.