Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

cSRX Image with Packaged Preinstalled Signatures

What Are Preinstalled Signatures?

To support pre-installed signatures package in cSRX Container Firewall image, a Docker file is placed in localhost repository to help user compile cSRX Container Firewall with installed signatures. With the new image, you can launch cSRX Container Firewall Pod, that protects workload immediately after container is launched.

The supported functions for signature packaging are:

  • Intrusion Detection and Prevention (IDP)

  • Application Identification (AppID)

  • Content Security

Repackage cSRX Image with Preinstalled Signatures

  • Ensure to have the cSRX Container Firewall image placed in the local repository or any other Docker registry.

  • Ensure to include license file together with Docker file.

To repackage cSRX Container Firewall image with signatures:

  1. Create DockerFile.

    root@host# cat Dockerfile

    The ARG CSRX_BUILD_WITH_SIG=yes triggers for APPID and IDP signature auto installation.

    The optional ENV CSRX_LICENSE_FILE=/var/local/.csrx_license and COPY csrx.lic $CSRX_LICENSE_FILE commands are used to install owned license to cSRX Container Firewall container.

  2. Repackage image to include APPID and IDP signature.

    root@host# docker build -t localhost:5000/csrx-sig

  3. Push the image to the registry.

    root@host# docker push localhost:5000/csrx-sig

    The new cSRX Container Firewall image localhost:5000/csrx-sig:latest is ready for use.

  4. Change the mode to CLI.

    root@host# ke -it csrx-sig -- bash

    root@csrx-sig:/# cli

  5. View the APPID status.

    root@csrx-sig> show services application-identification status

  6. View IDP package version.

    root@csrx-sig> show security idp security-package-version

Download Juniper Signature Pack

You can download the signature pack from the Juniper Signature Repository directly when cSRX Container Firewall doesn’t have a preinstalled signature pack.

To download the signature pack from Juniper Signature Repository:

root@host> request services application-identification download

root@host> request security idp security-package download

Download Juniper Signature Pack Through Proxy Server

You can download the signature pack through a proxy server. AppIDD and IDPD processes first connects to the configured proxy server. The proxy server then communicates with the signature pack download server and provides the response to the process running on the device.

To download the signature pack through the proxy server:

  1. Configure the proxy server so that the IP address of the proxy server is reachable from cSRX Container Firewall.
  2. Run the following command to enter the configuration mode from the CLI.

    root@host> configure

    [edit]

    root@host#

  3. Configure the proxy server profile on cSRX Container Firewall using the IP address and port of the proxy server.

    root@host#set services proxy profile appid_sigpack_proxy protocol http host 4.0.0.1

    root@host#set services proxy profile appid_sigpack_proxy protocol http port 3128

  4. Attach the profile to AppID and IDP.

    root@host#set services application-identification download proxy-profile appid_sigpack_proxy

    root@host#set security idp security-package proxy-profile appid_sigpack_proxy

  5. Commit the configuration.

    root@host#commit and-quit

  6. Download the IDP and APPID signature pack through proxy server.

    root@host>request services application-identification download

    root@host>request security idp security-package download

To verify that the download is happening through the proxy server:

  1. Verify the logs in the proxy server.

    [root@srxdpi-lnx39 squid]# cat /var/log/squid/access.log

    In cSRX Container Firewall, the TLS protocol is used and traffic the through proxy server is encrypted.