升级后的Juniper SRX集群导入教程
本文介绍如何将已升级至12.1X46-D55.3版本的Juniper SRX240H集群配置,并导入到升级后的Juniper Space NMP和Security Director 16.1环境中。主要步骤包括使用master-only IP地址配置SRX集群、在Juniper Space中发现设备、导入防火墙策略、NAT策略及IDP策略等。
My old post “Import Existing Juniper SRX Cluster into JunOS Space Security Director” was created based on Space 14.1 and SRX11.x version. Now both have been upgraded. Space NMP and Security Director have been upgrade to 16.1 (Post is here). SRX240H has been upgrade to 12.1D46.55.
Basically, all steps are similar except the web interface is different. What you need to do is to configure your SRX cluster with a master-only ip on both nodes. The configuration should looks like this:
[email protected]> show configuration ## Last commit: 2017-03-23 14:44:28 UTC by root version 12.1X46-D55.3; groups { node1 { system { host-name fw-m-t-2; backup-router 10.9.1.1; services { ssh { max-sessions-per-connection 32; } } syslog { file default-log-messages { any info; match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { address 10.9.1.14/24 { preferred; } address 10.9.1.15/24 { master-only; } } } } } } node0 { system { host-name fw-m-t-1; backup-router 10.9.1.1; services { ssh { max-sessions-per-connection 32; } } syslog { file default-log-messages { any info; match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { address 10.9.1.13/24 { preferred; } address 10.9.1.15/24 { master-only; } } } } } } security; global-policy { security { policies { from-zone <*> to-zone <*> { policy default-logdrop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } }
In Juniper Space, you just need to import master-only ip into it. Here are steps with screenshots.
1. Device Discovery
 | |
|
 |
| Create Device Discovery Profile |
 |
| Specify Probes |
 |
| Specify credentials |
 |
| Secify Device Fingerprint |
 |
| Schedule Discovery Job |
 |
| Discovery Progress |
 |
| Discovered Device |
Note: If your Space Schema Version does not have your SRX OS version, it will shows mismatch on Schema Version column. In that case , you will need to do DMI Schema download the version you are missing.
 |
| DMS Download |
2. Import Device
 |
| Import Devices |
Follow the on-screen notes to complete steps, you will be able to import Firewall policy, NAT policy and IDP policy ,etc.
 |
| Imported Firewall Policy |
 |
| Imported IPS Policy |
3. Publish and Update policy to your SRX devices
 |
| Update Firewall Policy |
4. Troubleshooting
During updating policy, I met following two errors:
4.1. [Error] Configuration update failed.
Severity : error
Message : remote lock-configuration failed on node1
The fix is at KB27800 – [SRX] The error ‘remote lock-configuration failed on node’ is seen in SRX chassis cluster
- Go to node with the stuck lock.
- Execute the following commands:
>start shell
%mgd clr-chg
4.2. [Error] Configuration update failed.
Severity : error
At : [edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-TCP/IP match]
Message : Please install the Signature Database
Details : attacks
Severity : error
Message : configuration check-out failed
The fix is just to download latest signature database and install it to devices.
 |
| Download Latest Signature Database |
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
