Troubleshooting Configuration Push Errors (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual
Configuring intrusion detection and prevention devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01:
- Manual (444 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Related
Documentation
Troubleshooting Configuration Push Errors (NSM Procedure)
Problem
Table 55: Troubleshooting: Configuration Push Errors
Error
Timeout
The following attacks/groups
cannot be updated. Not
supported for version.
No firewall rules can be
updated for device in assigned
policy policyName.
Rule #: Packet logging with
any/any rule has serious
performance implications.
Policy has not changed and
hence will not be updated.
Failed to update device. Failed
to compile policy.
No license for idp.
Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
Chapter 10: Managing Security Policies in Intrusion Detection and Prevention Devices
NSM and Intrusion Detection and Prevention Device Management Overview on page 5
Troubleshooting Configuration Push Errors (NSM Procedure) on page 123
Table 55 on page 123 provides tips for troubleshooting errors related to NSM configuration
push jobs.
Description
The default timeout for IDP policy is 2400000 milliseconds (40 minutes).
When you first push a policy to a newly deployed IDP device, NSM must send a lot of information
(mostly attack definitions). In some cases, the update job can time out before it completes.
To modify the timeout setting:
1.
On the NSM Device Server, open the following file in a text editor:
/usr/netscreen/DevSvr/var/devSvr.cfg
2. Modify the following setting:
devSvrDirectiveHandler.idpPolicyPush.timeout 2400000
Different versions of IDP use different detector engines. Not all attack objects are valid for all
versions of the detector engine. IDP indicates which attack objects in the security policy were
not valid for the loaded detector engine and, therefore, not loaded.
This message is for information purposes only and does not indicate a problem with the IDP
device or the policy.
You try to load a policy that contains a firewall rulebase onto a standalone IDP device.
This message just means that IDP cannot process the firewall rulebase. The IDP rulebases are
still processed normally, assuming no other errors.
Setting the rule to log packets causes IDP to save packets until it is sure that they will not be
needed for a log entry. A rule that has any in the Source IP column and any in the Destination
IP column examines all traffic. So, IDP has to save a lot of packets all the time, which impacts
performance.
For performance reasons, IDP does not spend resources recompiling a security policy that has
not changed.
Something has gone wrong with the policy compilation. Other error messages may indicate
why.
The device does not have a valid license. Unlicensed devices do not accept policy uploads.
NSM and Intrusion Detection and Prevention Device Management Overview on page 5
Pushing Security Policy Updates to an IDP Device (NSM Procedure) on page 121
123
Advertisement
Table of Contents
Troubleshooting
