Table of Contents
Advertisement
About Atomic Configuration—ScreenOS Devices
Copyright © 2010, Juniper Networks, Inc.
Using the NSM monitoring tools, you learn of the attack and locate the cause of the
1.
event. Using NSM modules such as the Realtime Monitor and Log Viewer, you
determine the exact attack that penetrated the device. From the Report Manager,
you also determine what rule in the security policy was ineffective in blocking the
attack.
You update the modeled device configuration, editing the security policy to detect
2.
and prevent the attack from entering your network again.
Before updating the running configuration, you review the modeled device
3.
configuration. Using a delta configuration summary, compare the modeled
configuration with the running configuration on the device to confirm the differences.
Fine-tune the modeled configuration, if needed.
When you are confident that the modeled configuration is valid, update the device.
4.
NSM updates the running configuration with only the new changes (delta). During
the update, you track the update progress using Job Manager in real time and observe
the transfer of the configuration from NSM to the device.
If the update is unsuccessful, use the information in the Job information window to
correct the problems in the modeled configuration.
After updating, run a second Delta Configuration Summary to identify any remaining
5.
differences between the modeled configuration and the running configuration on the
device. When the Delta Configuration Summary reveals no differences between the
new configuration and the old configuration on the device, you have successfully
updated the running configuration.
NSM uses atomic configuration, a fail-safe feature for updating devices. Atomic
configuration ensures that a current valid configuration is not overwritten by a flawed
configuration in flash memory. The update must finish without errors and the device
connection to the management system must remain active, or the update is aborted to
prevent an invalid, error-prone, or flawed configuration from being installed on the device.
Atomic configuration is always on. During an update:
NSM saves and locks the active configuration on the device, and then starts a timer
1.
for the update process. While the active configuration is locked, it cannot be changed.
NSM sends the modeled configuration to the device.
2.
As the device receives the modeled configuration, it updates its existing active
3.
configuration with each command as the command is received:
If the device executes the entire modeled configuration (all commands) and the
connection to the management system remains up, NSM unlocks the active
configuration and saves the new active configuration.
If the device cannot execute a command, NSM resets the device, unlocks the active
configuration, and restores the saved active configuration to the device (the device
reboots). After rebooting, the device sends a final error message to the management
Chapter 6: Updating Devices
245
Advertisement
Table of Contents
