Best Practices for SRX Software Upgrade
Junos software provides “no-validate” option when the system administrator tries to upgrade the Junos software version to bypass the configuration compatibility check, but this option should be avoided if possible. This articles will show one of instance of a risk with “no-validate” option.
As of 12.1X44-D10, High-End SRX Series Services Gateways do not support the following IDP dedicated mode configuration statements. If one of them is configured before upgrading to 12.1X44-D10 and no-validate option is used when execute “request system software add” command, the mgd generates “error: commit failed: (statements constraint check failed)” and activates partial configuration, which allows a blank password for Telnet/J-Web/Console access and accept any random password for SSH connection before you collect the unsupported commands.
- set security forwarding-process application-services maximize-idp-sessions weight firewall
- set security forwarding-process application-services maximize-idp-sessions weight idp
- set security forwarding-process application-services maximize-idp-sessions weight equal
For example, the system administrator used “no-validate” option to upgrade Junos software from 11.4R7 to 12.1X44-D11, and while the system reboot up, the ‘mgd’ detected a missing mandatory configuration and do not allow to commit the full configuration and activated partial configuration.
admin@SRX3600> request system software add no-copy no-validate junos-srx1k3k-12.1X44-D11.5-domestic.tgz reboot
...
Loading configuration ...
[edit security forwarding-process application-services]
'maximize-idp-sessions'
inline-tap must be specified <-- LOOK HERE, missing mandatory configuration
mgd: error: commit failed: (statements constraint check failed)
Warning: Commit failed, activating partial configuration.
Warning: Edit the router configuration to fix these errors.
...
SRX3600 (ttyu0)
login: admin
<-- LOOK HERE, no password is required !!!
--- JUNOS 12.1X44-D11.5 built 2013-06-01 07:26:30 UTC
admin@SRX3600>
Whenever possible, please check the configuration compatibility before upgrading Junos software, then correct or change the configuration if ‘mgd’ generate error and warnding message. Below example shows a best way to upgrade SRX software.
1. Check the configuration compatibility between pre-12.1X44 and 12.1X44 using “request system software validate <12.1X44-intall-package>” command
admin@SRX3600> request system software validate junos-srx1k3k-12.1X44-D11.5-domestic.tgz Checking compatibility with configuration Initializing... Verified manifest signed by PackageProduction_11_4_0 Verified junos-11.4R7.5-domestic signed by PackageProduction_11_4_0 Using /var/home/admin/junos-srx1k3k-12.1X44-D11.5-domestic.tgz Checking junos requirements on / Available space: 618164 require: 273584 Saving boot file package in /var/sw/pkg/junos-boot-srx1k3k-12.1X44-D11.5.tgz Verified manifest signed by PackageProduction_12_1_0 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz mgd: error: Could not disable auto-snapshot configuration [edit security forwarding-process application-services] 'maximize-idp-sessions' inline-tap must be specified mgd: error: commit failed: (statements constraint check failed) Validation failed WARNING: Current configuration not compatible with /var/home/admin/junos-srx1k3k-12.1X44-D11.5-domestic.tgz
2. Remove the unsupported commands or change the IDP mode from “dedicated mode “ to “in-line tap mode”
// changing to "integrated mode" delete security forwarding-process application-services maximize-idp-sessions commit or // changing to "inline-tap mode - firewall" set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall commit or // changing to "inline-tap mode - idp" set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp commit
3. Upgrade to 12.1X44
request system software add no-copy junos-srx1k3k-12.1X44-D11.5-domestic.tgz reboot