Supported Platforms
Related Documentation
Example: Configuring Intrusion Detection and Prevention for SRX Series
For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.
This example shows how to configure a security policy to enable IDP services for the first time on traffic flowing on the device.
Requirements
Before you begin, install or verify an intrusion detection and prevention (IDP) feature license. See Updating Licenses for a Branch SRX Series .
This example uses the following hardware and software components:
- An SRX210
- Junos OS Release 12.1X44-D10
Overview
In this example, you configure a security policy to enable IDP services on an SRX210 to inspect all traffic from the untrust zone to the DMZ zone using the IDP rulebases.
As a first step, you must download and install the signature database from the Juniper Networks website. Next, download and install the predefined IDP policy templates and activate the predefined policy Recommended as the active policy.
Next, you must create a security policy from the untrust zone to DMZ zone and specify actions to be taken on the traffic that matches the conditions specified in the policy.
Configuration
Downloading and Installing the Signature Database
CLI Quick Configuration
CLI quick configuration is not available for this example because manual intervention is required during the configuration.
Step-by-Step Procedure
To configure an IDP policy:
- Download the signature database.[edit]user@host# run request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI
Note: Downloading the database might take some time depending on the database size and the speed of your Internet connection.
- Check the security package download status.[edit]user@host# run request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:2230(Mon Feb 4 19:40:13 2013 GMT-8, Detector=12.6.160121210)
- Install the attack database.[edit]user@host# run request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
Note: Installing the attack database might take some time depending on the security database size.
- Check the attack database install status. The command
output displays information about the downloaded and installed versions
of the attack database.[edit]user@host# run request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb 4 19:40:13 2013 GMT-8,Detector=12.6.160121210] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
- Confirm your IDP security package version.[edit]user@host# run show security idp security-package-version
Attack database version:2230(Mon Feb 4 19:40:13 2013 GMT-8) Detector version :12.6.160121210 Policy template version :2230
- Download the predefined IDP policy templates.[edit]user@host# run request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Check the security package download status.[edit]user@host# run request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:2248
- Install the IDP policy templates.[edit]user@host# run request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Verify the installation status update.[edit]user@host# run request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!
- Enable the
templates.xslscripts file. On commit, the Junos OS management process (mgd) looks in totemplates.xsland installs the required policy.[edit]user@host# set system scripts commit file templates.xsl - Commit the configuration. The downloaded templates are
saved to the Junos OS configuration database, and they are available
in the CLI at the [edit security idp idp-policy] hierarchy
level.[edit]user@host# commit
- Display the list of downloaded templates.[edit]user@host# set security idp active-policy ?
Possible completions: (active-policy) Set active policy DMZ_Services DNS_Service File_Server Getting_Started IDP_Default Recommended Web_Server idp-engine
- Activate the predefined Recommended policy as the active
policy.[edit]user@host# set security idp active-policy Recommended
- Confirm the active policy enabled on your device.[edit]user@host>show security idp active-policy
active-policy Recommended;
- Create a security policy for the traffic from the untrust
zone to the DMZ zone. In this step, you are creating an address set
in the DMZ zone to group all HTTP server addresses together. In this
example, you are applying security policies that can be used to inspect
the traffic between the untrust zone and the DMZ zone.
Note: Keep in mind the following points:
- Security policy on order on SRX Series device is important because Junos OS performs a policy lookup starting from the top of the list, and when the device finds a match for the traffic received, it stops policy lookup.
- The SRX Series device allows you to enable IDP processing on a security policy on a rule-by-rule basis, instead of turning on IDP inspection across the device.
- A security policy identifies what traffic is to be sent to the IDP engine, and then the IDP engine applies inspection based on the contents of that traffic. Traffic that matches a security policy in which IDP is not enabled completely bypasses IDP processing. Traffic that matches a security policy marked for IDP processing is handed off to the IDP engine.
[edit]user@host# set security zones security-zone DMZ address-book address Server-HTTP-1 192.168.2.2/24user@host# set security zones security-zone DMZ address-book address Server-HTTP-2 192.168.2.3/24user@host# set security zones security-zone DMZ address-book address-set DMZ-address-set-http address Server-HTTP-1user@host# set security zones security-zone DMZ address-book address-set DMZ-address-set-http address Server-HTTP-2user@host# set security policies from-zone untrust to-zone DMZ policy P1 match source-address anyuser@host# set security policies from-zone untrust to-zone DMZ policy P1 match destination-address DMZ-address-set-httpuser@host# set security policies from-zone untrust to-zone DMZ policy P1 match application junos-http - Specify the action to be taken on traffic that matches
conditions specified in the security policy. The security policy action
must be to permit the flow.[edit]user@host# set security policies from-zone untrust to-zone DMZ policy P1 then permit application-services idp
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the IDP Configuration
Purpose
Verify that the IDP configuration is working properly.
Action
From operational mode, enter the show security idp status command.
PIC : FPC 0 PIC 0:
State of IDP: Default, Up since: 2013-01-22 02:51:15 GMT-8 (2w0d 20:30 ago)
Packets/second: 0 Peak: 0 @ 2013-02-05 23:06:20 GMT-8
KBits/second : 0 Peak: 0 @ 2013-02-05 23:06:20 GMT-8
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2013-02-05 23:06:20 GMT-8]
TCP: [Current: 0] [Max: 0 @ 2013-02-05 23:06:20 GMT-8]
UDP: [Current: 0] [Max: 0 @ 2013-02-05 23:06:20 GMT-8]
Other: [Current: 0] [Max: 0 @ 2013-02-05 23:06:20 GMT-8]
Session Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
ID Name Sessions Memory Detector
0 Recommended 0 2233 12.6.160121210
Meaning
The sample output shows the Recommended predefined IDP policy as the active policy.
