Example: Configuring DSCP Rules in an IDP Policy (CLI)

Configuring Differentiated Services code point (DSCP) values in Intrusion Detection and Prevention (IDP) policies provides a method of associating class-of-service (CoS) values—thus different levels of reliability—for different types of traffic on the network.

Before you begin:

1. Configure network interfaces. See the JUNOS Software Interfaces Configuration Guide for Security Devices.
2. Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy (CLI).
3. Create security zones. See Example: Creating Security Zones.
4. Define rules. See Example: Inserting a Rule in the IDP Rulebase (CLI) .

The configuration instructions in this topic describe how to create a policy called policy1, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:

• Specifies the match condition to include any traffic from a previously configured zone called zone1 to another previously configured zone called zone2. The match condition also includes a predefined attack group called Critical - HTTP. The application setting in the match condition is specified as default and matches any application configured in the attack object.
• Specifies an action to rewrite the CoS field in the IP header with the DSCP value 50 for any traffic that matches the criteria for rule R1,

To configure DSCP values in an IDP policy:

1. Create a policy by assigning a meaningful name to it. The following statement specifies policy1 as the policy name:
   user@host# set security idp idp-policy policy1
2. Associate a rulebase with the policy. The following statement associates an intrusion prevention system (IPS) rulebase with policy1:
   user@host# set security idp idp-policy policy1 rulebase-ips
3. Add rules to the rulebase The following statement adds a rule R1 to the rulebase:
   user@host# set security idp idp-policy policy1 rulebase-ips rule R1
4. Define the match criteria for the rule. The following statements specify that any traffic from zone1 to zone2 that includes a predefined attack group Critical - HTTP matches the criteria for rule R1. The default application setting matches any application configured in the attack object.
   user@host# set security idp idp-policy policy1 rulebase-ips R1 match from-zone zone1 to-zone zone2 source-address any destination-address any application default user@host# set security idp idp-policy policy1 rulebase-ips R1 match attacks predefined-attack-group “Critical - HTTP”
5. Specify an action for the rule. The following statement specifies that for all traffic matching the criteria defined for rule R1, the CoS field in the IP header is rewritten with the DSCP value 50:
   user@host# set security idp idp-policy policy1 rulebase-ips R1 then action mark-diffserv 50
6. Continue to specify any notification or logging options for the rule, if required.
7. Activate the policy. The following specifies policy1 as the active policy:
   user@host# set security idp active-policy policy1
8. If you are finished configuring the device, commit the configuration.
9. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding DSCP Rules in IDP Policies
• Example: Enabling IDP in a Security Policy (CLI)
• Example: Defining Rules for an IDP IPS Rulebase (CLI)