Juniper SRX Commnit Error “No rulebase configured for active policy”
作者:互联网
I have been dealing with Juniper SRX IDP error many times when NSM was been used. Mostly those errors are caused by corrupted signature DB or not enough storage space on SRX itself. Here is the latest one I encountered.
Symptoms
From Space, if I make a new change on firewall policy and push it to gateway, I will get following errors.
It says “No rulebase configured for active policy”, which is mis-leading when you first time saw this message. IDP policy usually is fine here.
[Error] Configuration update failed. Severity : error At : [edit security idp] Message : No rulebase configured for active policy Details : idp-policy Space-IPS-Policy Severity : error Message : configuration check-out failed
To view the full error message,Click here <commit-results>
<rpc-error>
<error-type>protocol</error-type>
<error-tag>operation-failed</error-tag>
<error-severity>error</error-severity>
<source-daemon> idpd </source-daemon>
<error-path> [edit security idp] </error-path> <error-info>
<bad-element> idp-policy Space-IPS-Policy </bad-element> </error-info>
<error-message> No rulebase configured for active policy </error-message> </rpc-error>
<rpc-error>
<error-type>protocol</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity>
<error-message> configuration check-out failed </error-message>
</rpc-error>
</commit-results>
From Command line:
{primary:node1}[edit] [email protected]# {primary:node1}[edit] [email protected]# commit [edit security idp] 'idp-policy Space-IPS-Policy' No rulebase configured for active policy error: configuration check-out failed {primary:node1}[edit] [email protected]#
Based on kb26964, it is IDP error message, and it is relating to IDP Signature Database.
In this case, for somehow both nodes do not have same attack database version.
[email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A {secondary:node0}
Solutions
1. Disable IDP and install policy.
It works from command line but it is not ideal solution we want. If you got limited time to implement your change, it will help.
[email protected]# deactivate security idp {primary:node1}[edit] [email protected]# commit check node1: configuration check succeeds node0: configuration check succeeds
2. Reinstall Attack DB
2.1 Direct Install from Internet
If your device has internet access, you will just need to delete the attack DB from SRX and reinstall it.
[edit] root# run start shell user root ##Type the root password and delele the files:
root% rm -rf /var/db/idpd/sec-download/*
##Install either a previous version of the attack DB or the latest version:
root> request security idp security-package download version 2232 full-update root> request security idp security-package install
##Set the active policy as Recommended and then commit the configuration; it should be successful this time.
root# set security idp active-policy Recommended root# commit
##Check the policy commit status: root # run show security idp policy-commit-status
2.2 Install from JunOS Space
Delete all DB files, and push the latest Attack DB from Space again.
2.3 Copy from another node
in my case, since node 0 has latest IDP attack DB, just copy it over from Node 0 to node 1 to make sure both have same version of attack DB, the issue can be resolved.
[email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3004(Thu Nov 9 12:12:06 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A
[email protected]% rcp -r -T /var/db/idpd/* node1:/var/db/idpd/ [email protected]% [email protected]% [email protected]% cli {secondary:node0} [email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3005(Tue Nov 14 12:07:35 2017 UTC) Detector version :12.6.160170603 Policy template version :N/A
This method can fix most of IDP attack DB issue if one of your cluster member has a right version on it.
Share this:
Like this:
Like Loading...Related
标签:Juniper,No,rulebase,idp,version,policy,new,security,email 来源: https://blog.csdn.net/cpongo7/article/details/98947798