CLI Configuration

To configure DSCP values in an IDP policy:

1. Create a policy by assigning a meaningful name to it. The following statement specifies policy1 as the policy name:

   user@host# set security idp idp-policy policy1

2. Associate a rulebase with the policy. The following statement associates an IPS rulebase with policy1:

   user@host# set security idp idp-policy policy1 rulebase-ips

3. Add rules to the rulebase The following statement adds a rule R1 to the rulebase:

   user@host# set security idp idp-policy policy1 rulebase-ips rule R1

4. Define the match criteria for the rule. The following statements specify that any traffic from zone1 to zone2 that includes a predefined attack group Critical - HTTP matches the criteria for rule R1. The default application setting matches any application configured in the attack object.

   user@host# set security idp idp-policy policy1 rulebase-ips R1 match from-zone zone1 to-zone zone2 source-address any destination-address any application default

   user@host# set security idp idp-policy policy1 rulebase-ips R1 match attacks predefined-attack-group “Critical - HTTP”

5. Specify an action for the rule. The following statement specifies that for all traffic matching the criteria defined for rule R1, the CoS field in the IP header is rewritten with the DSCP value 50:

   user@host# set security idp idp-policy policy1 rulebase-ips R1 then action mark-diffserv 50

6. Continue to specify any notification or logging options for the rule, if required.
7. Activate the policy. The following specifies policy1 as the active policy:

   user@host# set security idp active-policy policy1

8. If you are finished configuring the router, commit the configuration.
9. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.