[j-nsp] Bulk updates to Netscreen 5400
All, We have a (quite busy) netscreen 5400, which we occasionally need to make big policy updates to. It goes very slow if we paste in changes via the CLI, and we're not inclined to buy Netscreen Security Manager (or whatever it's called these days) because our reseller stiffed us on a promised upgrade, and the demo we had was anyway pretty underwhelming. However - I have it on good authority that NSM merely uses a hidden CLI command to start commit bulk updates all at once, a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
I would not suggest playing with that fire... My personal suggestion to make bulk updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Good luck, -Tim Eberhard On Fri, Jun 26, 2009 at 6:52 AM, Phil Mayers p.may...@imperial.ac.ukwrote: All, We have a (quite busy) netscreen 5400, which we occasionally need to make big policy updates to. It goes very slow if we paste in changes via the CLI, and we're not inclined to buy Netscreen Security Manager (or whatever it's called these days) because our reseller stiffed us on a promised upgrade, and the demo we had was anyway pretty underwhelming. However - I have it on good authority that NSM merely uses a hidden CLI command to start commit bulk updates all at once, a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Tim Eberhard wrote: I would not suggest playing with that fire... My personal suggestion to make bulk updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Hmm. Interesting. I'll give that a go. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Phil Mayers wrote: Tim Eberhard wrote: I would not suggest playing with that fire... My personal suggestion to make bulk updates or update many configuration items at once would be to create the list of changes to a file and then tftp merge it into the configuration. It will go very fast and you can tell if anything errored out instantly. merging part 1000 lines via tftp takes just 10-15 seconds. Hmm. Interesting. I'll give that a go. Sadly, that doesn't seem to help. The firewall still stops responding to pings, SNMP monitoring, other CLI sessions and so forth, even for small updates. Thanks for the suggestion though. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: However - I have it on good authority that NSM merely uses a hidden CLI command to start commit bulk updates all at once, a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? I don't know the total sequence of commands, as I've never actually done this, but I think you're looking for exec config lock ... -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
Ross Vandegrift wrote: On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: However - I have it on good authority that NSM merely uses a hidden CLI command to start commit bulk updates all at once, a bit like SQL e.g. set mode bulk set address Trust ... ...100 more lines set mode bulk-commit ...or something like that. Does anyone know what those magic commands are, if they really exist? Are there any caveats to using them? I don't know the total sequence of commands, as I've never actually done this, but I think you're looking for exec config lock ... That seems to be it; ScreenOS throws me back out with a NSM only! error through, so I suspect you need to be a specially-provisioned NSM user for this :o( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 5:02 PM, Ross Vandegrift r...@kallisti.us wrote: On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: However - I have it on good authority that NSM merely uses a hidden CLI command to start commit bulk updates all at once, a bit like SQL You can view the raw config file by issuing a get config datafile. I guess NSM is pushing such a file through the SSP connection established with the firewall. Don't know if you could do this manualy. If you have a heavily loaded cluster, I recommend to push policy changes to the backup unit of your cluster. By enablign NSRP config sync, changes will be replicated to the master. HTH Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp