IDP Detector Engine FAQ

• What is a detector?

Detector engine is a dynamic protocol decoder that includes support for decoding 60+ protocols and 500+
service contexts.

• How does Juniper distribute the detector engine?

The detector engine is distributed as part of the signature update pack.

• How do I download the detector engine?

The detector engine can be downloaded from NSM. To download the latest detector engine and also the
signature updates, use option Tools > View/Update NSM Attack Database

• Are the detector engines different for ISG-IDP devices and standalone IDP devices?

Yes they are different. When the signature update is performed NSM will download two different detector
engines i.e IDP Detector Engine for ISG-IDP devices and IDP Detector Engine for IDP4.0 and 4.1 devices.

• When does Juniper release a new detector?

Juniper releases new detector when support for new protocols/contexts are added or fix for false positives
on protocol anomalies is available.

• How do I identify the IDP detector version on the ISG-IDP firewall?

The following command on the ISG-IDP firewall will show the version of the detector:

#get system
IDP files version:

detector.so x.x.xxxxx

detector.so shows the version of the detector.

Alternatively you can find the detector version from NSM. To find the detector version, Edit the device >
Security > IDP SM Settings > IDP Detector version.

• How do I identify the detector version available in NSM?

In NSM, select Tools > View/Update NSM Attack Database and click Next to see the current version of the
Detector in NSM.

• Why do I see multiple IDP detector engines when I download the NSM attack database?

The detector engines are different for ISG-IDP and Standalone IDP. Also for ISG-IDP the detector engine
supported on ScreenOS 5.0 / ScreenOS 5.4 is different from ScreenOS 6.0. Similarly for Standalone IDPs
the detector engine is different for IDP 4.0 and IDP 4.1 devices.

The following are the detector versions supported on different software version.
 Software / Version Detector

ScreenOS 6.0 3.4.xxxxx

ScreenOS 5.4 / ScreenOS 5.0 3.1.xxxxx

IDP 4.1 4.1.xxxxx

IDP 4.0 4.0.xxxxx

Only the supported detector versions can be pushed to the device. For ex: 3.4.xxxxx detector cannot be
pushed to ScreenOS 5.4 or ScreenOS 5.0.

• How do I push the new detector engine to the Standalone IDP or ISG-IDP device?

Select Devices > IDP Detector Engine > Load IDP Detector Engine

This will update the device with the latest detector engine.

• Do I need to push policy to the device after the new detector engine is loaded?

Yes. Once the new detector engine is pushed to the device remember to update the policy on the ISG-
IDP/Standalone IDP.

• How often do I update the device with the new detector engine?

Juniper sends a notification to the customer when a new detector engine is released. Once the new engine
is available update the device to get support for new protocols/contexts.

• What happens if my device already has the latest detector and if i try to update the detector
engine from NSM?

NSM will generate a warning stating that the detector versions are same.

PURPOSE:
Configuration

How to update the detector version on IDP

SUMMARY:
Whats the procedure for updating the IDP detector version?

SOLUTION:
To Update the detector version on IDP, ISG/IDP you need to first update the attack database to the latest
version
To update attack database
 1. In NSM UI, go to Tools > Update Attack Database
2. Update the attack database to the latest available version

To update detector Engine

1. In NSM UI, go to Menu > Devices > IDP Detector Engine > Load IDP detector Engine. This will
display the latest detector engine that will be pushed to device
 2. Select the IDP, ISG-IDP devices to update with latest detector version.

Pushing a new policy to IDP device will update only the attack signatures not the detector version.

Error loading a new IDP Detector Engine on ISG-IDP

PROBLEM OR GOAL:
It is possible that the NSM database contains IDP Detector Engine version informations that does not reflect
the real Device situation.

Verify that the Device does NOT have the same or newer detector.so that NSM is trying to load:

1. Connect to the ISG CLI (via serial port or telnet/SSH)

2. Run the command get sys and check the 'IDP files version' section

Sample Output:

ISG2000(M)-> get sys

Product Name: NetScreen-2000
[...]
IDP files version:
detector.so 3.1.99116
engine 3.1.99393
pcid 3.1.99393
scio 3.1.99393

3. On NSM, choose 'Device > IDP Detector Engine > Load IDP Detector Engine' and on the wizard
click 'Next'.
4. Check the version according to the ScreenOS version running on the ISG
5. Compare the versions obtained, to check that the version on the Device is older than the version on
NSM

SOLUTION:
To solve the issue, re-import the ISG-IDP device into the NSM server.

To re-import, follow this procedure:

1. On 'Device Manager > Security Devices', right click on the Device having the problem
2. Choose 'Import Device' and follow the procedure

Now verify that the 'Load IDP Detector Engine' job completes successfully.

After the import under 'Policy Manager->Security Policies' the imported Firewall/VPN policy will be
created using the assigned policy name plus a '_1' at the end.
This policy won't contain the IDP rules and can be deleted when finished.