My old post “Import Existing Juniper SRX Cluster into JunOS Space Security Director” was created based on Space 14.1 and SRX11.x version. Now both have been upgraded. Space NMP and Security Director have been upgrade to 16.1 (Post is here). SRX240H has been upgrade to 12.1D46.55.
Basically, all steps are similar except the web interface is different. What you need to do is to configure your SRX cluster with a master-only ip on both nodes. The configuration should looks like this:
root@fw-m-t-1> show configuration ## Last commit: 2017-03-23 14:44:28 UTC by root version 12.1X46-D55.3; groups { node1 { system { host-name fw-m-t-2; backup-router 10.9.1.1; services { ssh { max-sessions-per-connection 32; } } syslog { file default-log-messages { any info; match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { address 10.9.1.14/24 { preferred; } address 10.9.1.15/24 { master-only; } } } } } } node0 { system { host-name fw-m-t-1; backup-router 10.9.1.1; services { ssh { max-sessions-per-connection 32; } } syslog { file default-log-messages { any info; match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"; structured-data; } } } interfaces { fxp0 { unit 0 { family inet { address 10.9.1.13/24 { preferred; } address 10.9.1.15/24 { master-only; } } } } } } security; global-policy { security { policies { from-zone <*> to-zone <*> { policy default-logdrop { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } }
In Juniper Space, you just need to import master-only ip into it. Here are steps with screenshots.
1. Device Discovery
|
Create Device Discovery Profile |
Specify Probes |
Specify credentials |
Secify Device Fingerprint |
Schedule Discovery Job |
Discovery Progress |
Discovered Device |
Note: If your Space Schema Version does not have your SRX OS version, it will shows mismatch on Schema Version column. In that case , you will need to do DMI Schema download the version you are missing.
DMS Download |
2. Import Device
Import Devices |
Follow the on-screen notes to complete steps, you will be able to import Firewall policy, NAT policy and IDP policy ,etc.
Imported Firewall Policy |
Imported IPS Policy |
3. Publish and Update policy to your SRX devices
Update Firewall Policy |
4. Troubleshooting
During updating policy, I met following two errors:
4.1. [Error] Configuration update failed.
Severity : error
Message : remote lock-configuration failed on node1
The fix is at KB27800 – [SRX] The error ‘remote lock-configuration failed on node’ is seen in SRX chassis cluster
- Go to node with the stuck lock.
- Execute the following commands:
>start shell
%mgd clr-chg
4.2. [Error] Configuration update failed.
Severity : error
At : [edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-TCP/IP match]
Message : Please install the Signature Database
Details : attacks
Severity : error
Message : configuration check-out failed
The fix is just to download latest signature database and install it to devices.
Download Latest Signature Database |