idp-policy (Security)
Syntax
idp-policy policy-name {
rulebase-exempt {
rule rule-name {
description text;
match {
attacks {
custom-attack-groups [attack-group-name];
custom-attacks [attack-name];
dynamic-attack-groups [attack-group-name];
predefined-attack-groups [attack-group-name];
predefined-attacks [attack-name];
}
destination-address ([address-name] | any | any-ipv4 | any-ipv6);
destination-except [address-name];
from-zone (zone-name | any );
source-address ([address-name] | any | any-ipv4 | any-ipv6);
source-except [address-name];
to-zone (zone-name | any);
}
}
}
rulebase-ips {
rule rule-name {
description text;
match {
application (application-name | any | default);
attacks {
custom-attack-groups [attack-group-name];
custom-attacks [attack-name];
dynamic-attack-groups [attack-group-name];
predefined-attack-groups [attack-group-name];
predefined-attacks [attack-name];
}
destination-address ([address-name] | any | any-ipv4 | any-ipv6);
destination-except [address-name];
from-zone (zone-name | any );
source-address ([address-name] | any | any-ipv4 | any-ipv6);
source-except [address-name];
to-zone (zone-name | any);
}
terminal;
then {
action {
class-of-service {
dscp-code-point number;
forwarding-class forwarding-class;
}
(close-client | close-client-and-server | close-server |drop-connection | drop-packet | ignore-connection | mark-diffserv value | no-action | recommended);
}
ip-action {
(ip-block | ip-close | ip-notify);
log;
log-create;
refresh-timeout;
target (destination-address | service | source-address | source-zone | source-zone-address | zone-service);
timeout seconds;
}
notification {
log-attacks {
alert;
}
packet-log {
post-attack number;
post-attack-timeout seconds;
pre-attack number;
}
}
severity (critical | info | major | minor | warning);
}
}
}
}
Hierarchy Level
[edit security idp] [edit tenants tenant-name security idp]
Description
Configure a security IDP policy.
Options
policy-name—Name of the IDP policy.
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.2.
Starting with Junos OS Release 18.2R1, IDP policy is directly
assigned in the security policy rule. This is to simplify IDP policy
usage and to provide flexibility to have multiple policies active
at the same time. As a part of the session interest check, IDP is
enabled if an IDP policy is present in any of the matched rules. An
IDP policy is activated in security policies by permitting the IDP
policy within the application services using the set security
policies from-zone zone-name to-zone zone-name policy policy-name
then permit application-services idp-policy idp-policy-name command.
Because the IDP policy name is directly used in the security policy
rule, the [edit security idp active-policy policy-name] statement is deprecated.
Additional tags under filters of dynamic attack groups (CVSS score, age-of-attack, file-type, vulnerability-type) are added in Junos OS Release 18.2R1 for dynamic attacks grouping of IDP signatures. The Product and Vendor tags are already supported under existing filter products. The CLI interface for configuring these tags is now more user friendly, with more options available for configuration in Junos OS Release 18.2R1.
Starting in Junos OS Release 18.3R1, with unified policies configured on an SRX Series Firewall, you can configure multiple IDP policies and set one of those policies as the default IDP policy.
If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.