Table of Contents
Advertisement
Quick Links
IDP Series Release Notes
IDP OS 5.1r1
February 8, 2011
Revision 01
Contents
Copyright © 2011, Juniper Networks, Inc.
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Unsupported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Known Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Downgrading or Reverting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Compatibility with Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . 6
Compatibility with Juniper Networks Infranet Controller . . . . . . . . . . . . . . . . . . . . . 7
Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrading IDP Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Upgrading with NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Upgrading with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1
Advertisement
Table of Contents
Related Manuals for Juniper IDP OS 5.1R1 - RELEASE NOTES REV 1
Summary of Contents for Juniper IDP OS 5.1R1 - RELEASE NOTES REV 1
-
Page 1: Table Of Contents
Compatibility with Network and Security Manager ......6 Compatibility with Juniper Networks Infranet Controller ..... 7 Browser Requirements . -
Page 2: Overview
Juniper Networks Intrusion Detection and Prevention Release Notes Overview Juniper Networks Intrusion Detection and Prevention Series devices enable you to enforce a security policy that leverages continuous security research by the Juniper Security Center to protect your network from attacks. The IDP Series also includes features that enable you to gather information about applications and servers in your network. - Page 3 Beginning with IDP OS Release 5.1, you can use a new utility to capture packets at the Rx interface Using (receiving interface) and also at the Tx interface (transmitting interface). See jnetTcpdump to Capture Packets Copyright © 2011, Juniper Networks, Inc.
-
Page 4: Unsupported Features
Juniper Networks Intrusion Detection and Prevention Release Notes Table 1: New Features (continued) Feature Description Enhanced debugging and You can use the following CLI command enhancements to display system information: troubleshooting tools scio app cache —A new option, listall , allows you to list the entire application identification cache. -
Page 5: Supported Upgrade Paths
Previously collected packet capture logs will not be available to NSM. This action is not required if you have been using the option to always include packet data when NSM sends the event log. /usr/idp/device/bin/user_funcs Your custom settings in the file are preserved when you upgrade. No action is required. Copyright © 2011, Juniper Networks, Inc. -
Page 6: Downgrading Or Reverting
Juniper Networks Intrusion Detection and Prevention Release Notes Table 2: Changes to Files and Directories (continued) Upgrade Path Files and Directories From 4.1r4 When you upgrade from IDP OS 4.1r4 to IDP OS 5.1r1, you are reimaging the disk with a new operating /var/idp system. -
Page 7: Compatibility With Juniper Networks Infranet Controller
NSMXpress to a patch version of NSM. Compatibility with Juniper Networks Infranet Controller The user-role-based policy feature depends on deployment with IC Series Unified Access Control (UAC) 4.1r1 or later. Contact your Juniper Networks sales representative for information on UAC release dates. Browser Requirements The ACM, QuickStart utility, and IDP Reporter have been tested on the following browsers: Internet Explorer 7.x, 6.x... -
Page 8: Upgrading With Nsm
Juniper Networks Intrusion Detection and Prevention Release Notes This section provides the following upgrade workflows to upgrade a standalone IDP Series device: Upgrading with NSM on page 8 Upgrading with the CLI on page 10 NOTE: Upgrading an HA deployment involves special considerations. For information on upgrading an HA deployment, see “... - Page 9 Push the updated IDP detector engine to IDP Series devices: From the NSM main menu, select Devices > IDP Detector Engine > Load IDP Detector Engine for ScreenOS and complete the wizard steps. Copyright © 2011, Juniper Networks, Inc.
-
Page 10: Upgrading With The Cli
Juniper Networks Intrusion Detection and Prevention Release Notes NOTE: Updating the IDP detector engine on a device does not require a reboot of the device. Push a security policy update job to update attack objects in use in your security policy: In NSM, select Devices >... - Page 11 Push the updated IDP detector engine to IDP Series devices: From the NSM main menu, select Devices > IDP Detector Engine > Load IDP Detector Engine for ScreenOS and complete the wizard steps. Copyright © 2011, Juniper Networks, Inc.
-
Page 12: Resolved Issues
Juniper Networks Intrusion Detection and Prevention Release Notes NOTE: Updating the IDP detector engine on a device does not require a reboot of the device. Push a security policy update job to update attack objects in use in your security policy: In NSM, select Devices >... - Page 13 5 seconds, 1 minute, and 5 minutes. Traps are sent for the 1 minute and 5 minute intervals. 547870 Resolved an issue where the packet reassembly module had generated an inordinate number of logs for the same issue, leading to disk usage concerns. Copyright © 2011, Juniper Networks, Inc.
- Page 14 Juniper Networks Intrusion Detection and Prevention Release Notes Table 4: Resolved Issues (continued) Description CPU Utilization 474709 Resolved an issue where we had reported incorrect CPU utilization for single core platforms (IDP600, IDP200, IDP75). For single core platforms, you can now use the Linux command to query CPU utilization.
-
Page 15: Known Issues
In the NSM Device Manager, double-click the name of the device to display the configuration editor. 2. Click Sensor Settings. 3. Click the Run-time parameters tab. 4. Under Traffic Signatures, increase the value for Byte threshold for suspicious flows. Copyright © 2011, Juniper Networks, Inc. - Page 16 Juniper Networks Intrusion Detection and Prevention Release Notes Table 5: Known Issues (continued) Description 508363 False positive where SSL:Audit:Non-SSL is wrongly detected in HTTPS traffic. The issue only occurs when SSL:Audit:Non-SSL is included in a compound signature with another member having stream256 context.
- Page 17 For IDP Series devices, strings for severity include instead of the strings Device_critical_log Device_warning_log Critical Warning that appear for other network devices. 415164 In NSM, packet data cannot be displayed correct for certain malformed IP packets. Copyright © 2011, Juniper Networks, Inc.
- Page 18 Juniper Networks Intrusion Detection and Prevention Release Notes Table 5: Known Issues (continued) Description 418220 Logs to IC Series: When log suppression is enabled, logs sent to the IC Series should indicate the repeat count when applicable. 419544 In NSM Profiler logs, alert logs when Profiler detects a new, non-IP protocol always show the protocol as HOPOPT instead of the specific protocol.
- Page 19 We do not support attack detection (flow-based or packet-based) in synced sessions processed by the standby device after retransmission on the redundant path. Packets for these sessions are passed through, uninspected. New sessions traversing the redundant path are inspected. Copyright © 2011, Juniper Networks, Inc.
-
Page 20: Documentation
NSM, see the Task Summary” section in the IDP Series Administration Guide. Documentation You can download user documentation from the Juniper Networks Web site: http://www.juniper.net/techpubs/ Table 6 on page 20 lists related IDP Series documentation. Table 6: Related IDP Series Documentation... - Page 21 Intrusion Detection and Prevention Devices NSM functionality, including adding new devices, deploying new device Guide configurations, updating device firmware, viewing log information, and monitoring the status of IDP Series devices. Copyright © 2011, Juniper Networks, Inc.
-
Page 22: Getting Help
Assistance Center (JTAC) by E-mail (support@juniper.net) or telephone (1-888-314-JTAC within the United States or 1-408-745-9500 from outside the United States). Copyright © 2009, Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc.