Technical Documentation

Loading J-Security-Center Updates (NSM Procedure)

The Juniper Networks Security Center (J-Security Center) routinely makes important updates available to IDP security policy components, including updates to the IDP detector engine and NSM attack database.

The IDP detector engine is a dynamic protocol decoder that includes support for decoding more than 60 protocols and more than 500 service contexts. You should update IDP detector engine when you first install the IDP device, whenever you upgrade, and whenever alerted to do so by Juniper Networks.

The NSM attack database stores data definitions for the attack objects that are key components of IDP security policies. Updates can include new attack objects, revised severity settings, or removed attack objects. You should schedule daily updates to the NSM attack database.

After you have completed the update, any new attack objects are available in the security policy editor. If you use dynamic groups to your IDP rulebase rules and a new attack object belongs to the dynamic group, the rule automatically inherits the new attacks.

Table 1 provides procedures for updating IDP detector engine and the NSM attack database.

Table 1: IDP Detector Engine and NSM Attack Database Update Procedures

Task

Procedure

To download IDP detector engine and NSM attack database updates to the NSM GUI server

From the NSM main menu, select Tools > View/Update NSM attack database and complete the wizard steps.

Note: The default URL from which to obtain updates is https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat. If you encounter connection errors, ensure this setting has not been inadvertently changed.

  1. From the NSM main menu, select Tools > Preferences.
  2. Click Attack Object.
  3. Click Restore Defaults.

    NSM restores the URL in the Download URL for ScreenOS Devices text box.

  4. Click OK.

To push an IDP detector engine update from the NSM GUI server to IDP devices

From the NSM main menu, select Devices > IDP Detector Engine > Load IDP Detector Engine for ScreenOS and complete the wizard steps.

Note: Updating the IDP detector engine on a device does not require a reboot of the device.

To push predefined attack object updates from the NSM GUI server to IDP devices

  1. From the NSM main menu, select Devices > Configuration > Update Device Config.
  2. Select the devices that you want to push configuration updates to and to set update job options on.
  3. Click OK.

Note: Only the attack objects that are used in IDP rules for the device are pushed from the GUI server to the device.

To schedule regular updates
  1. Log in to the NSM GUI server command line.
  2. Change directory to /usr/netscreen/GuiSvr/utils.

  3. Create a shell script called attackupdates.sh with the following contents:

    • Set the NSMUSER environment variable with an NSM domain/user pair. The command for setting environment variables depends on your OS. Example: 
      export NSMUSER=domain/user
    • Set the NSMPASSWD environment variable with an NSM password. The command for setting environment variables depends on your OS and shell. Example: 
      export NSMPASSWD=password
    • Specify a guiSvrCli command string. Example: 
      /usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action
--update-devices --skip
  4. Make the script executable by the user associated with the cron job: 
    chmod 700 attackupdates.sh
  5. Run the crontab editor: 
    crontab -e
  6. Add an entry for the shell script: 
    minutes_after_hour
 hour * * * /usr/netscreen/GuiSvr/utils/attackupdates.sh

During the update, the guiSvrCli utility updates the attack object database, then performs the post actions. After updating and executing actions, the system generates an exit status code of 0 (no errors) or 1 (errors).

Published: 2009-08-20