Best Practices for SRX Software Upgrade

Best Practices for SRX Software Upgrade

Junos software provides “no-validate” option when the system administrator tries to upgrade the Junos software version to bypass the configuration compatibility check, but this option should be avoided if possible. This articles will show one of instance of a risk with “no-validate” option.

As of 12.1X44-D10, High-End SRX Series Services Gateways do not support the following IDP dedicated mode configuration statements. If one of them is configured before upgrading to 12.1X44-D10 and no-validate option is used when execute “request system software add” command, the mgd generates “error: commit failed: (statements constraint check failed)” and activates partial configuration, which allows a blank password for Telnet/J-Web/Console access and accept any random password for SSH connection before you collect the unsupported commands.

  • set security forwarding-process application-services maximize-idp-sessions weight firewall
  • set security forwarding-process application-services maximize-idp-sessions weight idp
  • set security forwarding-process application-services maximize-idp-sessions weight equal

For example, the system administrator used “no-validate” option to upgrade Junos software from 11.4R7 to 12.1X44-D11, and while the system reboot up, the ‘mgd’ detected a missing mandatory configuration and do not allow to commit the full configuration and activated partial configuration.

Whenever possible, please check the configuration compatibility before upgrading Junos software, then correct or change the configuration if ‘mgd’ generate error and warnding message. Below example shows a best way to upgrade SRX software.

1. Check the configuration compatibility between pre-12.1X44 and 12.1X44 using “request system software validate <12.1X44-intall-package>” command

2. Remove the unsupported commands or change the IDP mode from “dedicated mode “ to “in-line tap mode”

3. Upgrade to 12.1X44

 

About the author

Prasanna

Leave a Comment