關於Juniper SRX JUNOS Kaspersky AV 防毒方面的設定



關於Juniper SRX JUNOS Kaspersky AV 防毒方面的設定:

There are currently 3 Antivirus solutions for the SRX all of which require a different license to activate:
* Kapersky
* Sophos
* Juniper Express

Briefly, some differences between the 3 options are:
Kaspersky 
* Full file based AV
* Local signature database lookups. AV signatures downloaded as a package.
* Largest cpu performance impact 
* Supports Intelligent Prescreening預檢

Sophos
* Cloud based signature database which therefore requires..
* Constant Internet access needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening預檢 

Juniper Express
* Less protection than the other 2 options 
* Only protects against critical threats嚴重威脅. Modified Kaspersky database.
* Does not reconstruct content prior to scanning 
* Pattern matching based solution. No heuristics.
* No protection against polymorphic or metamorphic viruses
* Supports Intelligent Prescreening預檢.
* Least cpu performance impact and highest throughput.

As our test today is on an SRX100H we only have 2 of those options available. Juniper Express is not available on the 100 as it doesn't have Content Security Accelerator hardware.
查看病毒防護設定情形:
root@srx100> show security utm anti-virus status
 UTM anti-virus status:
    Scan engine type: no-config
root@srx100>
目前沒有任何設定。

設定您要使用的掃描引擎
(in this example, Kaspersky Lab engine).
user@host# set security utm feature-profile anti-virus type kaspersky-lab-engine

設定 Kaspersky AV 防毒病毒模板自動更新:
Setting Up Automatic Updates
預設情況下, 防病毒模式資料庫配置為每60分鐘自動更新一次。 還可以指定在模式更新完成後發送給管理員的電子郵件通知。
1.      為卡巴斯基掃描引擎配置不同的時間間隔來更新病毒模板。
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update url http://update.juniper-updates.net/AV/SRX100
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 60
Note: 網址最後的"SRX100” 是根據您的設備機型來設定的,您可以參考下列的說明:
There are 3 types of AV on SRX devices. High-end SRX only supports type 3.
Express Antivirus Scanner
Database Update Path
Full Antivirus Pattern Updates
Database Update Path
Sophos Antivirus Protection
Sophos antivirus uses a small set of data files that need to be updated periodically. These data files only contain information on guiding scanning logic and do not contain the full pattern database. The main pattern database, which includes protection against critical viruses, URI checks, malware, worms, Trojans, and spyware, is located on remote Sophos. Extensible List servers maintained by Sophos.
Database Update Path

或者, 您可以通過輸入以下操作命令來手動設定病毒模板更新:
user@host> request security utm anti-virus kaspersky-lab-engine pattern-update

2.      設定病毒模板更新 email 通知
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify admin-email "admin@juniper.net"
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message "Pattern UPDATE Done"
user@host# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message-subject "AV UPDATE COMPLETE"

3.      設定病毒掃引擎描模式
預設值,也就是沒有設定病毒掃引擎描模式會採用的方式,掃描所有檔案,但是太耗費系統資源,會降低設備之進出流量。
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode all
設定只掃描特定副檔名的檔案,使用junos預設的副檔名集合。(我們這次使用的方式)
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode by-extension
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-extension junos-default-extension
設定只掃描特定副檔名的檔案,使用自己定義之副檔名集合。
set security utm custom-objects filename-extension extlist1 value [zip js vbs exe com bin rar 7z]
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode by-extension
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-extension extlist1


我們可以查看目前病毒防護設定情形。
root@srx100> show security utm anti-virus status
 UTM anti-virus status:
    Anti-virus key expire date: 2018-02-27 08:00:00
    Update server: http://update.juniper-updates.net/AV/SRX100
           Interval: 60 minutes
           Pattern update status: in process
           Last result: downloading signature files
    Anti-virus signature version: not loaded
    Anti-virus signature compiler version: N/A
    Scan engine type: kaspersky-lab-engine
    Scan engine information: last action result: Engine not ready
root@srx100>

幾分鐘後再查看病毒防護設定情形。
root@srx100> show security utm anti-virus status
 UTM anti-virus status:
    Anti-virus key expire date: 2018-02-27 08:00:00
    Update server: http://update.juniper-updates.net/AV/SRX100
           Interval: 60 minutes
           Pattern update status: next update in 54 minutes
           Last result: already have latest database
    Anti-virus signature version: 02/21/2018 20:35 GMT, virus records: 466030
    Anti-virus signature compiler version: N/A
    Scan engine type: kaspersky-lab-engine
    Scan engine information: last action result: No error(0x00000000)
root@srx100> show security utm anti-virus statistics

本段我們設定的內容如下:
security {
    utm {
        custom-objects {
            filename-extension {
                extlist1 {
                    value [ zip js vbs exe com bin rar 7z ];
                }
            }
        }
        feature-profile {
            anti-virus {
                type kaspersky-lab-engine;
                kaspersky-lab-engine {
                    pattern-update {
                        email-notify {
                            admin-email "admin@juniper.net";
                            custom-message "Pattern UPDATE Done";
                            custom-message-subject "AV UPDATE COMPLETE";
                        }
                        url http://update.juniper-updates.net/AV/SRX100;
                        interval 60;
                    }
                    profile junos-av-defaults {
                        scan-options {
                            scan-mode by-extension;
                            scan-extension junos-default-extension;
                        }
                    }
                }
            }
        }
    }
}


設定您要使用的UTM策略
Define the UTM policy for the HTTP protocol to be scanned with the full file-based default profile.
user@host# set security utm utm-policy custom-utm-policy anti-virus http-profile junos-av-defaults
Note:  A separate anti-virus profile is needed for each protocol.  The available protocols include HTTP(網頁防護), FTP(FTP傳輸防護), SMTP(Email寄信防護), POP3(Email收信防護), and IMAP(Email收信防護).
set security utm utm-policy custom-utm-policy anti-virus http-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus ftp upload-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus ftp download-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus smtp-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus pop3-profile junos-av-defaults
set security utm utm-policy custom-utm-policy anti-virus imap-profile junos-av-defaults
為了避免浪費太多系統資源,建議只選擇您需要防護的protocol就好。

到目前為止我們設定的內容:
security {
    utm {
        utm-policy custom-utm-policy {
            anti-virus {
                http-profile junos-av-defaults;
                ftp {
                    upload-profile junos-av-defaults;
                    download-profile junos-av-defaults;
                }
                smtp-profile junos-av-defaults;
                pop3-profile junos-av-defaults;
                imap-profile junos-av-defaults;
            }
        }
    }
}


UTM策略套用到安全策略上面
Apply the UTM policy to a security policy (in this example, security policy called web-access).
user@host# set security policies from-zone trust to-zone untrust policy web-access match source-address any destination-address any application junos-http
user@host# set security policies from-zone trust to-zone untrust policy web-access then permit application-services utm-policy custom-utm-policy

set security policies from-zone trust to-zone untrust policy web-access match source-address any
set security policies from-zone trust to-zone untrust policy web-access match destination-address any
set security policies from-zone trust to-zone untrust policy web-access match application junos-http
set security policies from-zone trust to-zone untrust policy web-access match application junos-ftp
set security policies from-zone trust to-zone untrust policy web-access match application junos-imap
set security policies from-zone trust to-zone untrust policy web-access match application junos-pop3
set security policies from-zone trust to-zone untrust policy web-access match application junos-smtp
set security policies from-zone trust to-zone untrust policy web-access then permit application-services utm-policy custom-utm-policy
策略設定好之後,我們還要將其放在策略的第一行來執行,根據我們的設定,我們只要將其放置在trust-to-untrust策略之前即可。
insert security policies from-zone trust to-zone untrust policy web-access before policy trust-to-untrust
若不這麼做,則我們建立的policy web-access 會添加到policy trust-to-untrust的後面,而policy trust-to-untrust會放行所有內網到外網的流量,也就是內網到外網的所有流量都符合policy trust-to-untrust的設定,那表示在policy trust-to-untrust之後的policy web-access永遠也不會被執行。
PS:策略套用的原則是:假如有10條策略符合您的流量條件時,那您的流量真正會套用的策略是您遇到的第一個策略。

To move a policy in the CLI, use the insert command:
root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> before policy <policy-name>
root@siteA# insert security policies from-zone <zone> to-zone <zone> policy <policy-name> after policy <policy-name>


Make sure that your policy is activated. In Junos OS 10.0 and higher, your changes do not take effect until you click the Commit button (under the tabs).

[edit]
root@srx100# commit
commit complete
[edit]
root@srx100# exit
Exiting configuration mode

到目前為止病毒防護的設定已經初步完成!

本段我們設定的內容:
security {
    policies {
        from-zone trust to-zone untrust {
            policy web-access {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http junos-ftp junos-imap junos-pop3 junos-smtp ];
                }
                then {
                    permit {
                        application-services {
                            utm-policy custom-utm-policy;
                        }
                    }
                }
            }
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}


如何設定SRX Kapersky AV病毒防護的系統日誌syslog
在開始之前我們要先分析Kapersky AV會產生哪些訊息,下列為範例:
AV_HUGE_FILE_DROPPED_MT  LOG_PFE,Skip antivirus scanning and drop the received traffic due to huge file
AV_HUGE_FILE_NOT_SCANNED_MT  LOG_PFE,Skip antivirus scanning and pass the received traffic due to huge file
AV_MANY_MSGS_DROPPED_MT  LOG_PFE,Drop the received file due to excessive traffic
AV_MANY_MSGS_NOT_SCANNED_MT  LOG_PFE,Skip antivirus scanning due to excessive traffic
AV_PATTERN_GET_FAILED  LOG_FIREWALL,The device was unable to retrieve an antivirus pattern file from the server
AV_PATTERN_KEY_EXPIRED  LOG_FIREWALL,Unable to download the antivirus pattern file, because the antivirus license key has been expired
AV_PATTERN_KL_CHECK_FAILED  LOG_FIREWALL,The device is unable to use Kaspersky's pattern file
AV_PATTERN_TOO_BIG   LOG_FIREWALL,The pattern file size specified in the server initialization file exceeds the limit
AV_PATTERN_UPDATED   LOG_FIREWALL,The internal antivirus scanner successfully updated the antivirus pattern file
AV_PATTERN_WRITE_FS_FAILED  LOG_FIREWALL,The device is unable to save contents of an antivirus pattern file
AV_SCANNER_DROP_FILE_MT  LOG_PFE,Drop the received traffic due to an internal error of antivirus scanner
AV_SCANNER_ERROR_SKIPPED_MT  LOG_PFE,Skip antivirus scanning due to an internal error
AV_SCANNER_READY     LOG_FIREWALL,The antivirus scan engine is ready
AV_VIRUS_DETECTED_MT  LOG_PFE,The antivirus scanner detected a virus

Kapersky AV所產生的系統日誌訊息開頭都有"AV_"字串,當偵測到病毒時所產生的系統日誌訊息都有" AV_VIRUS_DETECTED_MT "字串,因此我們規劃將偵測到病毒的訊息存入AV_VIRUS檔案中,其他的訊息存入AV_OPS檔案中,以方便我們查找相關訊息。
set system syslog file AV_VIRUS any any
set system syslog file AV_VIRUS match "AV_VIRUS_DETECTED_MT"
set system syslog file AV_VIRUS archive size 1m files 3
set system syslog file AV_OPS any any
set system syslog file AV_OPS match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)"
set system syslog file AV_OPS archive size 1m files 3

set system syslog host 192.168.1.3 port 514
set system syslog host 192.168.1.3 any any

本段我們設定的內容如下:
security {
    syslog {
        host 192.168.1.3 {
            any any;
            port 514;
        }
        file AV_VIRUS {
            any any;
            match " AV_VIRUS_DETECTED_MT ";
            archive size 1m files 3;
        }
        file AV_OPS {
            any any;
            match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)";
            archive size 1m files 3;
        }
    }
}

當我們要查看訊息時:
root@srx100> show log AV_VIRUS
Feb 24 01:42:18  srx100 RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
 from 213.211.198.62:80 to 192.168.1.2:50150 source-zone untrust www.eicar.org/d
ownload/eicarcom2.zip file www.eicar.org/download/eicarcom2.zip/eicar_com.zip/ei
car.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Te
st-File username N/A roles N/A
Feb 24 03:42:15  srx100 RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected:
 from 213.211.198.62:80 to 192.168.1.2:50887 source-zone untrust www.eicar.org/d
ownload/eicar_com.zip file www.eicar.org/download/eicar_com.zip/eicar.com virus
EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File userna
me N/A roles N/A
root@srx100>


如何確定 SRX Kapersky AV病毒防護的設置已作用

查看病毒防護設定情形。
root@srx100> show security utm anti-virus status


實際下載病毒測試
網路上有一個病毒測試網站,http://www.eicar.org ,它裡面的測試檔是沒有毒的,但是會被防毒軟體偵測到,我們可以利用它來測試SRX Kapersky AV病毒防護功能。
您可以點擊下列網頁連結來進行病毒防護測試。
如下圖:




點擊後若Kapersky AV病毒防護功能正常啟動則網頁會出現下列訊息:

但是若您不是用點擊的方式,而是按右鍵另存新檔,則不會被SRX Kapersky AV偵測到,但是會被您電腦上的防毒軟體偵測到。
您可以利用EICAR的病毒測試檔來測試POP3SMTPIMAPFTP等病毒防護功能。
您可參考下列之網路連結:
SRX UTM: Antivirus - Kaspersky Full


如何確定 SRX 平臺上的預設防病毒設置
要確定預設防病毒設置, 請應用以下操作命令:
root@srx100> show configuration groups junos-defaults security utm feature-profile anti-virus
type kaspersky-lab-engine;
#
# should not set no-autoupdate at any time
#
kaspersky-lab-engine {
    pattern-update {
        url http://update.juniper-updates.net/AV/SRX100/;
        interval 60;
    }
    profile junos-av-defaults {
        fallback-options {
            default log-and-permit;
            corrupt-file log-and-permit;
            password-file log-and-permit;
            decompress-layer log-and-permit;
            content-size log-and-permit;
            engine-not-ready log-and-permit;
            timeout log-and-permit;
            out-of-resources log-and-permit;
            too-many-requests log-and-permit;
        }
        scan-options {
            intelligent-prescreening;
            scan-mode all;
            content-size-limit 10000;
            timeout 180;
            decompress-layer-limit 2;
        }
        notification-options {
            virus-detection {
                type message;
                no-notify-mail-sender;
                custom-message "VIRUS WARNING";
            }
            fallback-block {
                type message;
                no-notify-mail-sender;
            }
        }
    }
}
sophos-engine {
    pattern-update {
        url http://update.juniper-updates.net/SAV/;
        interval 1440;
    }
    profile junos-sophos-av-defaults {
        fallback-options {
            default log-and-permit;
            content-size log-and-permit;
            engine-not-ready log-and-permit;
            timeout log-and-permit;
            out-of-resources log-and-permit;
            too-many-requests log-and-permit;
        }
        scan-options {
            uri-check;
            content-size-limit 10000;
            timeout 180;
        }
        notification-options {
            virus-detection {
                type message;
                no-notify-mail-sender;
                custom-message "VIRUS WARNING";
            }
            fallback-block {
                type message;
                no-notify-mail-sender;
            }
        }
    }
}
set security utm feature-profile anti-virus type kaspersky-lab-engine
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update url http://update.juniper-updates.net/AV/SRX100/
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 60
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options default log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options corrupt-file log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options password-file log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options decompress-layer log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options content-size log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options engine-not-ready log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options timeout log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options out-of-resources log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults fallback-options too-many-requests log-and-permit
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options intelligent-prescreening
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options scan-mode all
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options content-size-limit 10000
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options timeout 180
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults scan-options decompress-layer-limit 2
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options virus-detection type message
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options virus-detection no-notify-mail-sender
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options virus-detection custom-message "VIRUS WARNING"
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options fallback-block type message
set security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults notification-options fallback-block no-notify-mail-sender
set security utm feature-profile anti-virus sophos-engine pattern-update url http://update.juniper-updates.net/SAV/
set security utm feature-profile anti-virus sophos-engine pattern-update interval 1440
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options default log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options content-size log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options engine-not-ready log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options timeout log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options out-of-resources log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults fallback-options too-many-requests log-and-permit
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults scan-options uri-check
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults scan-options content-size-limit 10000
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults scan-options timeout 180
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults notification-options virus-detection type message
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults notification-options virus-detection no-notify-mail-sender
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults notification-options virus-detection custom-message "VIRUS WARNING"
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults notification-options fallback-block type message
set security utm feature-profile anti-virus sophos-engine profile junos-sophos-av-defaults notification-options fallback-block no-notify-mail-sender

如何刪除過期的SRX Kaspersky AV Licenses病毒防護授權
過期的付費軟體授權如下圖紅框之中的授權:

付費軟體授權過期後,系統就會不斷的在系統日誌中顯示以下之訊息:
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333336" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333337" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333338" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333339" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS333340" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372087" has expired.
srx100 license-check[15503]: LICENSE_EXPIRED_KEY_DELETED: License key "JUNOS372088" has expired.
在煩不勝煩的狀況下,只好忍痛動手刪除它(如圖所示)





原本以為這樣就完成了,可是隔天開機後系統日誌又出現了同樣的訊息!!??趕快查看Licenses訊息,結果發現已經刪除的授權又回來了,本著實驗的精神,又給他刪了一遍,重開機後已經刪除的授權又回來了,再以不屈不撓的精神再刪一次,重開機之後結果還是一樣,只是我們在開機過程中在console發現了下列訊息:
Checking integrity of licenses:
  JUNOS221719.lic: Passed
  JUNOS333336.lic: Failed
  JUNOS333336.lic: Performing recovery
  JUNOS333336.lic: Recovered
  JUNOS333337.lic: Failed
  JUNOS333337.lic: Performing recovery
  JUNOS333337.lic: Recovered
  JUNOS333338.lic: Failed
  JUNOS333338.lic: Performing recovery
  JUNOS333338.lic: Recovered
  JUNOS333339.lic: Failed
  JUNOS333339.lic: Performing recovery
  JUNOS333339.lic: Recovered
  JUNOS333340.lic: Failed
  JUNOS333340.lic: Performing recovery
  JUNOS333340.lic: Recovered
  JUNOS372087.lic: Failed
  JUNOS372087.lic: Performing recovery
  JUNOS372087.lic: Recovered
  JUNOS372088.lic: Failed
  JUNOS372088.lic: Performing recovery
  JUNOS372088.lic: Recovered
  JUNOS985375.lic: Passed
  JUNOS985376.lic: Passed
  JUNOS985377.lic: Passed
  JUNOS985378.lic: Passed
  JUNOS985379.lic: Passed
  JUNOS985380.lic: Passed
  JUNOS985381.lic: Passed
Checking integrity of configuration:
  rescue.conf.gz: Passed
我們似乎找到原因了! 趕緊上網一查,原來是autorecovery惹的禍。
當我們恢復出廠設定之後,Juniper SRX100/210的前面板status會亮紅燈,這時候只要我們輸入了下列命令,立馬就能解決我們的問題,讓status變成綠燈。
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>
從訊息中我們可以了解到它儲存了configlicensesBSD label三種類型的還原資訊。
那這個命令的作用為何呢?
原來是JUNOS OS為了保護重要的檔案而強制我們去執行的命令,否則設備就會一直亮紅燈給你看。而作用我們已經知道了,就是當您誤刪保護中的檔案之後,在設備重開機的過程中它又會給您還原回來了。
而又有哪些檔案被它保護呢?我們可以下達這個命令:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Saved                   Passed             None
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Saved                   Passed             None
  JUNOS333336.lic  Saved                   Passed             None
  JUNOS333337.lic  Saved                   Passed             None
  JUNOS333338.lic  Saved                   Passed             None
  JUNOS333339.lic  Saved                   Passed             None
  JUNOS333340.lic  Saved                   Passed             None
  JUNOS372087.lic  Saved                   Passed             None
  JUNOS372088.lic  Saved                   Passed             None
  JUNOS985375.lic  Saved                   Passed             None
  JUNOS985376.lic  Saved                   Passed             None
  JUNOS985377.lic  Saved                   Passed             None
  JUNOS985378.lic  Saved                   Passed             None
  JUNOS985379.lic  Saved                   Passed             None
  JUNOS985380.lic  Saved                   Passed             None
  JUNOS985381.lic  Saved                   Passed             None
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Saved                   Passed             None
  s2               Saved                   Passed             None
  s3               Saved                   Passed             None
  s4               Saved                   Passed             None
root@srx100>







看來辦法似乎可行,我們趕緊把不要的授權刪除(請參考本段開頭的圖示)
root@PayDay# run show system license    <--This will give you the information regarding licenses
License usage:
Licenses Licenses Licenses
Expiry
Feature name used installed needed
j-flow 0 1 0
permanent
bgp-reflection 0 1 0
permanent

Licenses installed:
License identifier: JUNOS201481 <--This is the license identifier
License version: 2
Valid for device: JN10E8E75ADD
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent
j-flow - J-FLOW traffic analysis (CFLOW reporting)
permanent

root@PayDay> request system license delete JUNOS201481    <--This will remove the license

刪除之後再查看一下狀態:
root@srx100> show system autorecovery state | no-more
Configuration:
  File             Recovery Information    Integrity Check    Action / Status
  rescue.conf.gz   Not Saved               Not checked        Requires save
Licenses:
  File             Recovery Information    Integrity Check    Action / Status
  JUNOS221719.lic  Not Saved               Not checked        Requires save
  JUNOS985375.lic  Not Saved               Not checked        Requires save
  JUNOS985376.lic  Not Saved               Not checked        Requires save
  JUNOS985377.lic  Not Saved               Not checked        Requires save
  JUNOS985378.lic  Not Saved               Not checked        Requires save
  JUNOS985379.lic  Not Saved               Not checked        Requires save
  JUNOS985380.lic  Not Saved               Not checked        Requires save
  JUNOS985381.lic  Not Saved               Not checked        Requires save
BSD Labels:
  Slice            Recovery Information    Integrity Check    Action / Status
  s1               Not Saved               Not checked        Requires save
  s2               Not Saved               Not checked        Requires save
  s3               Not Saved               Not checked        Requires save
  s4               Not Saved               Not checked        Requires save
root@srx100>

最後我們再執行save命令選項:
root@srx100> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information
root@srx100>

最後經過數次的重開機測試,發現經過上述步驟所刪除的過期授權不再回來了,著實令小弟萬分的感動.........

關於如何刪除過期的license key我們可以參考以下之網路連結:

我們可以將刪除過期付費軟體授權的步驟整理如下:
show system license
show system autorecovery state
request system autorecovery state clear
request system license delete JUNOS201481
show system autorecovery state
request system autorecovery state save
show system autorecovery state
show system license

但是此刻卻發現系統面板仍然亮紅燈??於是我們執行以下之指令:
root@srx100> show system alarms
2 alarms currently active
Alarm time               Class  Description
2018-04-01 12:44:21 UTC  Minor  Anti-Spam usage requires a license
2018-04-01 12:44:13 UTC  Minor  Kaspersky AV usage requires a license
root@srx100>

檢查之下發現系統配置檔關於Kaspersky AV 等的UTM命令還在,如下:
security {
    utm {
        feature-profile {
            anti-virus {
                type kaspersky-lab-engine;
                kaspersky-lab-engine {
                    pattern-update {
                        email-notify {
                            admin-email "admin@juniper.net";
                            custom-message "Pattern UPDATE Done";
                            custom-message-subject "AV UPDATE COMPLETE";
                        }
                        url http://update.juniper-updates.net/AV/SRX240;
                        interval 120;
                    }
                }
            }
        }
        utm-policy custom-utm-policy {
            anti-virus {
                http-profile junos-av-defaults;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy web-access {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit {
                        application-services {
                            utm-policy custom-utm-policy;
                        }
                    }
                }
            }
        }
    }
}

於是執行下列命令來刪除
root@srx100# delete security utm
root@srx100# delete security policies from-zone trust to-zone untrust policy web-access
root@srx100# commit
最後終於系統面板恢復正常,亮綠燈了!

大功告成!

這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁