[j-nsp] SRX and http/https proxy

Roger Wiklund roger.wiklund at gmail.com
Tue Dec 12 09:34:53 EST 2017 

Two options on the top of my head:

1. Use Security Director, that will download the signature to the server
and then push it to the device. (SD will also give you lots of other
benefits/visibility)
2. Download the update to a web server the SRX can reach, then use
offline-download "request security idp security-package offline-download
package-path http://x/y"

You can easily configure an event-option to run the update every night.

set event-options generate-event daily time-of-day 01:00:00
set event-options policy update_idp_package events daily
set event-options policy update_idp_package then execute-commands command
"request security idp security-package offline-download package-path
http://x/y"

BTW stick with Junos 15.1X49-D120 for now. 17.4 or 18.1 will get full
15.1X49 feature parity.

Regards
Roger






On Tue, Dec 12, 2017 at 11:38 AM, Benoit Plessis <b.plessis at doyousoft.com>
wrote:

> Hi,
>
> We have recently bought an SRX345 cluster with IDP licensing and i'm a
> bit baffled by something a bit "stupid".
>
> The SRX will need regular download over the internet for the IDP
> database, however, by principle i setup the system so that the admin
> interface has a limited network connectivity (by use of a separate
> routing-instance for the main trafic).
>
> So i looked for a way for the SRX to use a web proxy (squid, ffproxy)
> for thoses operations.
>
> According to the documentation & configuration it is supported (system
> proxy server / system proxy port) however of the 4 download "use-case" i
> tested (request system licence update, request security idp
> security-package download, request system license add, file copy) only
> the first (request system licence update) does "try" to respect and use
> the system proxy, and even there it doesn't correctly communicate with
> the proxy for "https" requests.
>
> I tried with 17.3R1.10, 12.1X46-D15.3, 12.3X48-D40.5 with the same
> result each time.
>
>
> A case is pending openning over juniper support but the support contract
> of the SRX345 isn't openned yet, so i though of reaching over there,
> does anybody know anything on the subject ?
>
> Regards,
> Benoit Plessis
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list