Understanding Predefined IDP Policy Templates
Juniper Networks provides predefined policy templates that you can use as a starting point for creating your own policies. Each template is set of rules of a specific rulebase type that you can copy and then update according to your requirements. These templates are available in the templates.xml file on a secured Juniper Networks website. To start using a template, you run a command from the CLI to download and copy this file to a /var/db/scripts/commit directory.
Each policy template contains rules that use the default actions associated with the attack objects. You should customize these templates to work on your network by selecting your own source and destination addresses and choosing IDP actions that reflect your security needs.
Table 58 summarizes the predefined IDP policy templates provided by Juniper Networks.
Table 58: Predefined IDP Policy Templates
Template Name | Description |
|---|---|
All With Logging | Includes all Attack Objects and enables packet logging for all rules. |
All Without Logging | Includes all Attack Objects but does not enable packet logging. |
DMZ Services | Protects a typical demilitarized zone (DMZ) environment. |
DNS Server | Protects Domain Name System (DNS) services. |
File Server | Protects file sharing services, such as Network File System (NFS), FTP, and others. |
Getting Started | Contains very open rules. Useful in controlled lab environments, but should not be deployed on heavy traffic live networks. |
IDP Default | Contains a good blend of security and performance. |
Recommended | Contains only the attack objects tagged as recommended by Juniper Networks. All rules have their Actions column set to take the recommended action for each attack object. |
Web Server | Protects HTTP servers from remote attacks. |
To use predefined policy templates:
- Download the policy templates from the Juniper Networks website.
- Install the policy templates.
- Enable the templates.xml script file. Commit scripts in the /var/db/scripts/commit directory are ignored if they are not enabled.
- Choose a policy template that is appropriate for you and customize it if you need to.
- Activate the policy that you want to run on the system.
Activating the policy might take a few minutes. Even after a commit
complete message is displayed in the CLI, the system might continue
to compile and push the policy to the dataplane.
Note: Occasionally, the compilation process might fail for a policy. In this case, the active policy showing in your configuration might not match the actual policy running on your device. Run the show security idp status command to verify the running policy. Additionally, you can view the IDP log files to verify the policy load and compilation status (see Verifying the Signature Database).
- Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Deactivating the statement adds an inactive tag to the statement, effectively commenting out the statement from the configuration. Statements marked inactive do not take effect when you issue the commit command.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- IDP Policies Overview
- Understanding IDP Policy Rulebases
- Understanding IDP Policy Rules
- Downloading and Using Predefined IDP Policy Templates (CLI Procedure)