Re: [j-nsp] SRX and http/https proxy

2017-12-21 Thread Benoit Plessis 
On 20/12/2017 23:00, Roger Wiklund wrote:
> You can download the latest signature here:
>
> https://kb.juniper.net/InfoCenter/index?page=content=KB27038
>
> Try this:
>
> 1. unzip the file, then gunzip all gz files: gzip -d *.gz
> 2. copy all files to the device with scp: scp -r *
> root@ip:/var/db/idpd/sec-download/
> 3. request security idp security-package offline-download package-path
> /var/db/idpd/sec-download
> 4. request security idp security-package install

Interesting,

The package is very large however since it does contain everything, it
would need to filter out unecessary files,
not sure it would be really easier (to be done 'safely') than parsing
the xml file from the auto-upgrade url tho

as for the process you describe the "part 2" is my main concern (root
access on the SRX, no option to login with ssh pubkey), also need to be
done on both unit of the cluster.

As for part 3 my previous experiment seams to tell me that if you copy
the files on /var/db/idpd/sec-download then "request security idp
security-package offline-download package-path" isn't usefull,
however it does feel like "offline-download" could be used to skip the
root access copy of step 2, but there is little to no information of the
expected "package" format
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX and http/https proxy

2017-12-20 Thread Roger Wiklund 
You can download the latest signature here:

https://kb.juniper.net/InfoCenter/index?page=content=KB27038

Try this:

1. unzip the file, then gunzip all gz files: gzip -d *.gz
2. copy all files to the device with scp: scp -r * root@ip
:/var/db/idpd/sec-download/
3. request security idp security-package offline-download package-path
/var/db/idpd/sec-download
4. request security idp security-package install

I have not tried this myself but I think it should work =)

On Thu, Dec 14, 2017 at 12:58 PM, Benoit Plessis 
wrote:

> Sorry i lost Roger's mail so this might bork the thread ..
>
> Two options on the top of my head:
>
> 1. Use Security Director, that will download the signature to the server
> and then push it to the device. (SD will also give you lots of other
> benefits/visibility)
> 2. Download the update to a web server the SRX can reach, then use
> offline-download "request security idp security-package offline-download
> package-path http://x/y;
>
> You can easily configure an event-option to run the update every night.
>
> set event-options generate-event daily time-of-day 01:00:00
> set event-options policy update_idp_package events daily
> set event-options policy update_idp_package then execute-commands command
> "request security idp security-package offline-download 
> package-pathhttp://x/y;
>
>
> Hi,
>
> Well i found the "How to perform offline IDP and Application signature
> database update in SRX"(*) which is three years old at least,
> not very clear and need root (not super-user account) access to put files
> directly in /var/db/idpd/...
>
> * https://kb.juniper.net/InfoCenter/index?page=content=TN83
>
> The documentation for "request security idp security-package
> offline-download" suggest to
> "Manually download the security package from the Juniper Security
> Engineering portal. The package will have both IDP and application package
> signatures." yet i wasn't able to find said package ...
>
> By the way JTAC answer this morning with said KB and a wonderfull "It is
> possible that the proxy method to not be standard. If this is the case, I
> don't understand what are your expectation in regards to this."
>
> BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
> 15.1X49 feature parity.
>
>
> Ok, gone back to 15.1 thanks
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX and http/https proxy

2017-12-14 Thread Benoit Plessis 
Sorry i lost Roger's mail so this might bork the thread ..

> Two options on the top of my head:
>
> 1. Use Security Director, that will download the signature to the server
> and then push it to the device. (SD will also give you lots of other
> benefits/visibility)
> 2. Download the update to a web server the SRX can reach, then use
> offline-download "request security idp security-package offline-download
> package-path http://x/y;
>
> You can easily configure an event-option to run the update every night.
>
> set event-options generate-event daily time-of-day 01:00:00
> set event-options policy update_idp_package events daily
> set event-options policy update_idp_package then execute-commands command
> "request security idp security-package offline-download package-path
> http://x/y;

Hi,

Well i found the "How to perform offline IDP and Application signature
database update in SRX"(*) which is three years old at least,
not very clear and need root (not super-user account) access to put
files directly in /var/db/idpd/...

* https://kb.juniper.net/InfoCenter/index?page=content=TN83

The documentation for "request security idp security-package
offline-download" suggest to
"Manually download the security package from the Juniper Security
Engineering portal. The package will have both IDP and application
package signatures." yet i wasn't able to find said package ...

By the way JTAC answer this morning with said KB and a wonderfull "It is
possible that the proxy method to not be standard. If this is the case,
I don't understand what are your expectation in regards to this."

> BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
> 15.1X49 feature parity.

Ok, gone back to 15.1 thanks
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX and http/https proxy

2017-12-12 Thread Roger Wiklund 
Two options on the top of my head:

1. Use Security Director, that will download the signature to the server
and then push it to the device. (SD will also give you lots of other
benefits/visibility)
2. Download the update to a web server the SRX can reach, then use
offline-download "request security idp security-package offline-download
package-path http://x/y;

You can easily configure an event-option to run the update every night.

set event-options generate-event daily time-of-day 01:00:00
set event-options policy update_idp_package events daily
set event-options policy update_idp_package then execute-commands command
"request security idp security-package offline-download package-path
http://x/y;

BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
15.1X49 feature parity.

Regards
Roger






On Tue, Dec 12, 2017 at 11:38 AM, Benoit Plessis 
wrote:

> Hi,
>
> We have recently bought an SRX345 cluster with IDP licensing and i'm a
> bit baffled by something a bit "stupid".
>
> The SRX will need regular download over the internet for the IDP
> database, however, by principle i setup the system so that the admin
> interface has a limited network connectivity (by use of a separate
> routing-instance for the main trafic).
>
> So i looked for a way for the SRX to use a web proxy (squid, ffproxy)
> for thoses operations.
>
> According to the documentation & configuration it is supported (system
> proxy server / system proxy port) however of the 4 download "use-case" i
> tested (request system licence update, request security idp
> security-package download, request system license add, file copy) only
> the first (request system licence update) does "try" to respect and use
> the system proxy, and even there it doesn't correctly communicate with
> the proxy for "https" requests.
>
> I tried with 17.3R1.10, 12.1X46-D15.3, 12.3X48-D40.5 with the same
> result each time.
>
>
> A case is pending openning over juniper support but the support contract
> of the SRX345 isn't openned yet, so i though of reaching over there,
> does anybody know anything on the subject ?
>
> Regards,
> Benoit Plessis
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX and http/https proxy

2017-12-12 Thread Benoit Plessis 
Hi,

We have recently bought an SRX345 cluster with IDP licensing and i'm a
bit baffled by something a bit "stupid".

The SRX will need regular download over the internet for the IDP
database, however, by principle i setup the system so that the admin
interface has a limited network connectivity (by use of a separate
routing-instance for the main trafic).

So i looked for a way for the SRX to use a web proxy (squid, ffproxy)
for thoses operations.

According to the documentation & configuration it is supported (system
proxy server / system proxy port) however of the 4 download "use-case" i
tested (request system licence update, request security idp
security-package download, request system license add, file copy) only
the first (request system licence update) does "try" to respect and use
the system proxy, and even there it doesn't correctly communicate with
the proxy for "https" requests.

I tried with 17.3R1.10, 12.1X46-D15.3, 12.3X48-D40.5 with the same
result each time.


A case is pending openning over juniper support but the support contract
of the SRX345 isn't openned yet, so i though of reaching over there,
does anybody know anything on the subject ?

Regards,
Benoit Plessis

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp