Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch

Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep inspection expires and the device still has an old sigpack version. Since the NSM later on has newer ones, it marks the firewall with a yellow symbol. To have a consistent “green” view of all firewalls, the following steps can be done to remove the exclamation mark.

We have several Juniper ScreenOS devices managed by the Juniper Network and Security Manager (NSM). We have used the deep inspection feature on a few SSG550M firewalls but have stopped it a while ago. The following two figures depict this behaviour with the yellow exclamation marks. The first one is from the device list while the second one is from the cluster member (“NSM sigpack version is different from this version.”):

Ausrufezeichen Attack DB Device List

Ausrufezeichen Attack DB Member


–> The following steps are required to have the green checkmarks back:

On the device:

  1. Verify that there is a license key (though expired): get license-key
  2. Delete the license key: exec license-key delete di_db_key
  3. Verify that there is an attacks.sig file: get file
  4. Delete the file:  delete file flash:/attacks.sig
  5. Reboot the device (not sure if this is really needed): reset

On NSM: (Unfortunately it is required to delete and import the device completely)

  1. Delete the device (respectively both cluster members and the cluster)
  2. Add the device(s) to the NSM again

Now, the managed firewalls should be green again. Also note the “0” in the third column, which is the sigpack version that was non-zero before:

Ausrufezeichen Attack DB Device List weg

Leave a Reply

Your email address will not be published. Required fields are marked *