Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

cSRX Image with Packaged Pre-Installed Signatures

Understanding Pre-Installed Signatures

To support pre-installed signatures package in cSRX image, a Docker file is placed in localhost repository to help user compile cSRX with installed signatures. With the new image, you can launch cSRX Pod which protects workload immediately after container is launched.

The supported functions for signature packaging are:

  • Intrusion Detection and Prevention (IDP)

  • Application Identification (AppID)

  • Unified Threat Management (UTM)

Repackaging cSRX Image with Signatures

  • Ensure to have the cSRX image placed in the local repository or any other Docker registry.

  • Ensure to include license file together with Docker file.

To repackage cSRX image with signatures:

  1. Create DockerFile.

    root@host# cat Dockerfile

    The ARG CSRX_BUILD_WITH_SIG=yes triggers for APPID and IDP signature auto installation.

    The optional ENV CSRX_LICENSE_FILE=/var/local/.csrx_license and COPY csrx.lic $CSRX_LICENSE_FILE commands are used to install owned license to cSRX container.

  2. Repackage image to include APPID and IDP signature.

    root@host# docker build -t localhost:5000/csrx-sig

  3. Push the image to the registry.

    root@host# docker push localhost:5000/csrx-sig

    The new cSRX image localhost:5000/csrx-sig:latest is ready for use.

  4. Change the mode to CLI.

    root@host# ke -it csrx-sig -- bash

    root@csrx-sig:/# cli

  5. View the APPID status.

    root@csrx-sig> show services application-identification status

  6. View IDP package version.

    root@csrx-sig> show security idp security-package-version

Downloading of Juniper Signature Pack

You can download the signature pack from the Juniper Signature Repository directly when cSRX doesn’t have a preinstalled signature pack.

To download the signature pack from Juniper Signature Repository:

root@host> request services application-identification download

root@host> request security idp security-package download

Downloading Signature Pack through Proxy Server

You can download the signature pack through a proxy server. AppIDD and IDPD processes first connects to the configured proxy server. The proxy server then communicates with the signature pack download server and provides the response to the process running on the device.

To download the signature pack through the proxy server:

  1. Configure the proxy server so that the IP address of the proxy server is reachable from cSRX.
  2. Run the following command to enter the configuration mode from the CLI.

    root@host> configure

    [edit]

    root@host#

  3. Configure the proxy server profile on cSRX using the IP address and port of the proxy server.

    root@host#set services proxy profile appid_sigpack_proxy protocol http host 4.0.0.1

    root@host#set services proxy profile appid_sigpack_proxy protocol http port 3128

  4. Attach the profile to AppID and IDP.

    root@host#set services application-identification download proxy-profile appid_sigpack_proxy

    root@host#set security idp security-package proxy-profile appid_sigpack_proxy

  5. Commit the configuration.

    root@host#commit and-quit

  6. Download the IDP and APPID signature pack through proxy server.

    root@host>request services application-identification download

    root@host>request security idp security-package download

To verify that the download is happening through the proxy server:

  1. Verify the logs in the proxy server.

    [root@srxdpi-lnx39 squid]# cat /var/log/squid/access.log

    In cSRX, the TLS protocol is used and traffic the through proxy server is encrypted.