User manual JUNIPER NETWORKS IDP OS 5.1R1 RELEASE NOTES REV 1

[. . . ] IDP Series Release Notes IDP OS 5. 1r1 February 8, 2011 Revision 01 Contents Overview . 22 Copyright © 2011, Juniper Networks, Inc. 1 Juniper Networks Intrusion Detection and Prevention Release Notes Overview Juniper Networks Intrusion Detection and Prevention Series devices enable you to enforce a security policy that leverages continuous security research by the Juniper Security Center to protect your network from attacks. The IDP Series also includes features that enable you to gather information about applications and servers in your network. These release notes contain information about what is included in this product release: supported features, unsupported features, changed features, known problems, and resolved problems. [. . . ] If you configured a rule to drop Telnet traffic, for example, all traffic running over the standard Telnet port (port 23) would be dropped. Improved accuracy detecting attacks in highly fragmented HTTP traffic. 436273 Logging / Packet Capture 274827 All formats: Corrected log messages when an IDP rulebase rule matches ICMP or UDP attacks and the rule action is set to close client and server. In previous releases, the log had been the action specified in the rule--"close client and server". In this release, we now report the action actually taken by the IDP Series device--"drop connection". Packet capture: You cannot use tcpdump to capture packets in both directions. In IDP OS Release 5. 1, we support a new utility, called jnetTcpdump, that you can use to capture packets in both directions. Changed threshold: When traffic through the IDP Series device exceeds session capacity, the device generates an event log and drops the traffic (if the constant for logging implicit drops is enabled). To avoid generating many logs around a similar event, the IDP Series device does not log additional instances until a threshold is reached. In this release, we have changed the delay threshold from 1024 to 100 instances. Syslog: NIC state events reported in syslog messages had not indicated that the virtual router has returned to "Normal mode". Syslog: Changes in link status (link down or link up) had not been reported in syslog messages. NSM Profiler: Updates to Network Profile tab logs had lagged behind Protocol Profile tab logs. NSM Log Viewer: Resolved an issue where variable data had not been displayed in the NSM Log Viewer collection. SNMP: The SNMP trap jnxIdpSensorFreeDiskSpace had been generated when the disk space exceeds the threshold but a downtrap had not been generated when it fell below the threshold. SNMP: In IDP OS 5. 0r2 release notes, we reported that we had changed the polling interval for SNMP traps and SNMP polling to five minutes to decrease latency and CPU utilization for single core platforms (IDP600, IDP200, IDP75), where the IDP engine, JNET driver, and control plane processes share the same CPU. For single core platforms, CPU utilization is reported at 5 seconds, 1 minute, and 5 minutes. 547870 Resolved an issue where the packet reassembly module had generated an inordinate number of logs for the same issue, leading to disk usage concerns. 392392 388321 429095 429097 430766 440475 493119 495852 Copyright © 2011, Juniper Networks, Inc. 13 Juniper Networks Intrusion Detection and Prevention Release Notes Table 4: Resolved Issues (continued) PR Description CPU Utilization 474709 Resolved an issue where we had reported incorrect CPU utilization for single core platforms (IDP600, IDP200, IDP75). For single core platforms, you can now use the Linux top command to query CPU utilization. For multicore platforms, you use the scio idp-cpu-utilization command and not the Linux top command. Resolved an issue where, if the IDP OS services were restarted while the device was processing traffic, the scio idp-cpu-utilization query returned 0 (an incorrect value). Resolved an issue on IDP8200 where IDP engine CPU load had been incorrectly reported as 0%. 502048 552181 Stability 415604 423847 482866 Resolved an issue where the autorecovery feature had failed to restart an IDP engine in a hung state. We have changed the timeout for a TCP session marked for flow bypass to 60 seconds (was 5 seconds). [. . . ] Lists predefined application signatures developed by J-Security Center. Describes IDP Series hardware and provides instructions for installing, configuring, updating, and servicing the device. A collection of topics from the IDP Series Administration Guide and IDP Series Concepts and Examples Guide, in HTML. Provides procedures for completing IDP Series administration tasks with the Network and Security Manager (NSM) central management program; with the IDP Series device Appliance Configuration Manager (ACM); and with the IDP Series device command-line interface (CLI). [. . . ]