Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Logical Systems and Tenant Systems User Guide for Security Devices Logical Systems

Logical Systems and Tenant Systems User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Logical Systems and Tenant Systems User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

IDP for Logical Systems

date_range 28-Nov-23
arrow_backward
arrow_forward

An Intrusion Detection and Prevention (IDP) policy in logical systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. For more information, see the following topics:

IDP in Logical Systems Overview

A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system.

This topic includes the following sections:

IDP Policies

The primary administrator configures IDP policies at the root level. Configuring an IDP policy for logical systems is similar to configuring an IDP policy on a device that is not configured for logical systems. This can include the configuration of custom attack objects.

IDP policy templates installed in root logical system are visible and used by all logical systems.

The primary administrator then specifies an IDP policy in the security profile that is bound to a logical system. To enable IDP in a logical system, the primary administrator or user logical system administrator configures a security policy that defines the traffic to be inspected and specifies the permit application-services idp action.

Although the primary administrator can configure multiple IDP policies, a logical system can have only one active IDP policy at a time. For user logical systems, the primary administrator can either bind the same IDP policy to multiple user logical systems or bind a unique IDP policy to each user logical system. To specify the active IDP policy for the primary logical system, the primary administrator can either reference the IDP policy in the security profile that is bound to the primary logical system or use the active-policy configuration statement at the [edit security idp] hierarchy level.

The root administrator configures the number of maximum IDP sessions reservation for a root and user logical system. The number of IDP sessions that are allowed for a root logical system are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that are allowed for a user logical system are defined using the command set security idp logical-system logical-system max-sessions max-sessions .

Note:

A commit error is generated if an IDP policy is both configured in the security profile that is bound to the primary logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the primary logical system.

Note:

If you have configured more than one IDP policy in a security policy, then configuring default IDP policy configuration is mandatory.

A default IDP policy configuration is supported when multiple IDP policies are available. The default IDP policy is one of the multiple IDP policies. For more information about configuring multiple IDP policies and default IDP policy, see the IDP Policy Selection for Unified Policies.

The logical system administrator performs the following actions:

  • Configure multiple IDP policies and attach to the firewall policies to be used by the user logical systems. If the IDP policy is not configured for a user logical system, the default IDP policy configured by the primary administrator is used. The IDP policy is bound to the user logical systems through a logical systems security policy.

  • Create or modify IDP policies for their user logical systems. The IDP policies are bound to user logical systems. When an IDP policy is changed, and commit succeeds, the existing sessions mapped to current active policy continue to use the old IDP combined policy. When an IDP policy is changed, and commit fails, only the logical system user that has initiated the commit change is notified about the commit failure.

  • The logical system can create security zones in the user logical system and assign interfaces to each security zone. Zones that are specific to user logical systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.

  • View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual logical system using the commands show security idp counters, show security idp attack table, show security idp policies, show security idp policy-commit-status, and show security idp security-package-version.

Limitation

  • When a IDP policy is changed and compiled in a specific user logical system, this change is considered as a single global policy change and compiled for all policies of all the logical systems.

IDP Installation and Licensing for Logical Systems

An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any logical system on the device.

A single IDP security package is installed for all logical systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all logical systems.

See Also

Understanding IDP Features in Logical Systems

This topic includes the following sections:

Rulebases

A single IDP policy can contain only one instance of any type of rulebase. The following IDP rulebases are supported for logical systems:

  • The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

  • The application-level distributed denial-of-service (DDoS) rulebase defines parameters to protect servers such as DNS or HTTP. The application-level DDoS rulebase defines the source match condition for traffic that should be monitored and takes an action, such as drop the connection, drop the packet, or no action. It can also perform actions against future connections that use the same IP address.

Note:

Status monitoring for IPS and application-level DDoS is global to the device and not on a per logical system basis.

Protocol Decoders

The Junos IDP module ships with a set of preconfigured protocol decoders. These protocol decoders have default settings for various protocol-specific contextual checks that they perform. The IDP protocol decoder configuration is global and applies to all logical systems. Only the primary administrator at the root level can modify the settings at the [edit security idp sensor-configuration] hierarchy level.

SSL Inspection

IDP SSL inspection uses the Secure Sockets Layer (SSL) protocol suite to enable inspection of HTTP traffic encrypted in SSL.

SSL inspection configuration is global and applies to all logical systems on a device. SSL inspection can only be configured by the primary administrator at the root level with the ssl-inspection configuration statement at the [edit security idp sensor-configuration] hierarchy level.

Inline Tap Mode

The inline tap mode feature provides passive, inline detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled. When a device is in inline tap mode, packets pass through firewall inspection and are also copied to the independent IDP module. This allows the packets to get to the next service module without waiting for IDP processing results.

Inline tap mode is enabled or disabled for all logical systems at the root level by the primary administrator. To enable inline tap mode, use the inline-tap configuration statement at the [edit security forwarding-process application-services maximize-idp-sessions] hierarchy level. Delete the inline tap mode configuration to switch the device back to regular mode.

Note:

The device must be restarted when switching to inline tap mode or back to regular mode.

Multi-Detectors

When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.

The version of the detector is common to all logical systems.

Logging and Monitoring

Status monitoring options are available to the primary administrator only. All status monitoring options under the show security idp and clear security idp CLI operational commands present global information, but not on a per logical system basis.

Note:

SNMP monitoring for IDP is not supported on logical systems.

IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.

The logical systems identification is added to the following types of IDP traffic processing logs:

  • Attack logs. The following example shows an attack log for the ls-product-design logical system:

    content_copy zoom_out_map
    Feb 22 14:06:00 aqgpo1ifw01 RT_IDP: %-IDP_ATTACK_LOG_EVENT_LS: Lsys A01: IDP: At 1329883555, ANOMALY Attack log <10.1.128.200/33699->192.168.22.84/80> for TCP protocol and service HTTP application NONE by rule 4 of rulebase IPS in policy Policy1. attack: repeat=3, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:NSS-Mgmt:reth0.55->SIEM-MGMT:reth0.60, packet-log-id: 0 and misc-message
    Note:

    In the IDP attack detection event log message (IDP_ATTACK_LOG_EVENT_LS), the time-elapsed, inbytes, outbytes, inpackets, and outpackets fields are not populated.

  • IP action logs. The following example shows an IP action log for the ls-product-design logical system:

    content_copy zoom_out_map
    Oct 13 16:56:04 8.0.0.254 RT_IDP: IDP_ATTACK_LOG_EVENT_LS: IDP: In ls-product-design at 1287014163, TRAFFIC Attack log <25.0.0.1/34802->15.0.0.1/21> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy Recommended. attack: repeat=0, action=TRAFFIC_IPACTION_NOTIFY, threat-severity=INFO, name=_, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:ls-product-design-trust:ge-0/0/1.0->ls-product-design-untrust:plt0.3, packet-log-id: 0 and misc-message -

  • Application DDoS logs. The following example shows an application DDoS log for the ls-product-design logical system:

    content_copy zoom_out_map
    Oct 11 16:29:57 8.0.0.254 RT_IDP: IDP_APPDDOS_APP_ATTACK_EVENT_LS: DDOS Attack in ls-product-design at 1286839797 on my-http,
<ls-product-design-untrust:ge-0/0/0.0:4.0.0.1:33738->ls-product-design-trust:ge-0/0/1.0:5.0.0.1:80> for TCP protocol and service HTTP by rule 1 of rulebase DDOS in policy Recommended. attack: repeats 0 action DROP threat-severity INFO, connection-hit-rate 0,  context-name http-url-parsed, hit-rate 6, value-hit-rate 6 time-scope PEER time-count 2  time-period 10 secs, context value:  ascii: /abc.html hex: 2f 61 62 63 2e 68 74 6d 6c

See Also

Example: Configuring an IDP Policy for the Primary Logical Systems

This example shows how to configure an IDP policy in a primary logical system.

Requirements

Before you begin:

Overview

In this example you configure a custom attack that is used in an IDP policy. The IDP policy is specified in a security profile that is applied to the primary logical system. IDP is then enabled in a security policy configured in the primary logical system.

You configure the features described in Table 1.

Table 1: IDP Configuration for the Primary Logical System

Feature

Name

Configuration Parameters

Custom attack

http-bf

  • Severity critical

  • Detect three attacks between source and destination addresses of sessions.

  • Stateful signature attack type with the following characteristics:

    • location http-url-parsed

    • pattern .*juniper.*

    • client to server traffic

IPS rulebase policy

root-idp-policy

Match:

  • application default

  • http-bf custom attacks

Action:

  • drop-connection

  • notification log-attacks

Logical system security profile

primary-profile (previously configured and applied to root-logical-system)

Add IDP policy root-idp-policy.

Security policy

enable-idp

Enable IDP in a security policy that matches any traffic from the lsys-root-untrust zone to the lsys-root-trust zone.

Note:

A logical system can have only one active IDP policy at a time. To specify the active IDP policy for the primary logical system, the primary administrator can reference the IDP policy in the security profile that is bound to the primary logical system as shown in this example. Alternatively, the primary administrator can use the active-policy configuration statement at the [edit security idp] hierarchy level.

A commit error is generated if an IDP policy is both configured in the security profile that is bound to the primary logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the primary logical system.

Configuration

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp custom-attack http-bf severity critical 
set security idp custom-attack http-bf time-binding count 3 
set security idp custom-attack http-bf time-binding scope peer 
set security idp custom-attack http-bf attack-type signature context http-url-parsed 
set security idp custom-attack http-bf attack-type signature pattern .*juniper.* 
set security idp custom-attack http-bf attack-type signature direction client-to-server
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    [edit]
admin@host> configure
admin@host#

  2. Create the custom attack object and set the severity level.

    content_copy zoom_out_map
    [edit security idp]
admin@host# set custom-attack http-bf severity critical

  3. Configure attack detection parameters.

    content_copy zoom_out_map
    [edit security idp]
admin@host# set custom-attack http-bf time-binding count 3 
admin@host# set custom-attack http-bf time-binding scope peer

  4. Configure stateful signature parameters.

    content_copy zoom_out_map
    [edit security idp]
admin@host# set custom-attack http-bf attack-type signature context http-url-parsed
admin@host# set custom-attack http-bf attack-type signature pattern .*juniper.*
admin@host# set custom-attack http-bf attack-type signature direction client-to-server
Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack http-bf command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
admin@host# show security idp custom-attack http-bf
severity critical;
    time-binding {
        count 3;
        scope peer;
    }
        attack-type {
            signature {
                context http-url-parsed;
                pattern .*juniper.*;
                direction client-to-server;
            }
        }

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy for the Primary Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy root-idp-policy rulebase-ips rule 1 match application default 
set security idp idp-policy root-idp-policy rulebase-ips rule 1 match attacks custom-attacks http-bf 
set security idp idp-policy root-idp-policy rulebase-ips rule 1 then action drop-connection 
set security idp idp-policy root-idp-policy rulebase-ips rule 1 then notification log-attacks
set system security-profile master-profile idp-policy root-idp-policy
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.

    content_copy zoom_out_map
    [edit security idp]
admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match application default
admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match attacks custom-attacks http-bf

  2. Configure actions for the IDP policy.

    content_copy zoom_out_map
    [edit security idp]
admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then action drop-connection
admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then notification log-attacks

  3. Add the IDP policy to the security profile.

    content_copy zoom_out_map
    [edit system security-profile master-profile]
admin@host# set idp-policy lsys1-idp-policy
Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy root-idp-policy and show system security-profile master-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
admin@host# show security idp idp-policy root-idp-policy
    rulebase-ips {
        rule 1 {
            match {
                application default;
                attacks {
                    custom-attacks http-bf;
                }
            }
            then {
                action {
                    drop-connection;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }
admin@host# show system security-profile master-profile
...
idp-policy lsys1-idp-policy;

If you are done configuring the device, enter commit from configuration mode.

Enabling IDP in a Security Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match source-address any 
set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match destination-address any 
set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match application any 
set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp then permit application-services idp
Step-by-Step Procedure

To enable IDP in a security policy:

  1. Create the security policy and configure match conditions.

    content_copy zoom_out_map
    [edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust]
admin@host# set policy enable-idp match source-address any
admin@host# set policy enable-idp match destination-address any
admin@host# set policy enable-idp match application any

  2. Enable IDP.

    content_copy zoom_out_map
    [edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust]
admin@host# set policy enable-idp then permit application-services idp
Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
[edit]
    admin@host# show security policies
    from-zone lsys-root-untrust to-zone lsys-root-trust {
        policy enable-idp {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        idp;
                    }
                }
            }
        }
    }
...

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attack Matches

Purpose

Verify that attacks are being matched in network traffic.

Action

From operational mode, enter the show security idp attack table command.

content_copy zoom_out_map
admin@host> show security idp attack table
IDP attack statistics:
  Attack name                                 #Hits
  http-bf                                              1

See Also

Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System

The primary administrator can either download predefined IDP policies to the device or configure custom IDP policies at the root level using custom or predefined attack objects. The primary administrator is responsible for assigning an IDP policy to a user logical system. This example shows how to assign a predefined IDP policy to a user logical system.

Requirements

Before you begin:

Overview

The predefined IDP policy named Recommended contains attack objects recommended by Juniper Networks. All rules in the policy have their actions set to take the recommended action for each attack object. You add the Recommended IDP policy to the ls-design-profile, which is bound to the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set system security-profile ls-design-profile idp-policy Recommended
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To add a predefined IDP policy to a security profile for a user logical system:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    [edit]
admin@host> configure
admin@host#

  2. Add the IDP policy to the security profile.

    content_copy zoom_out_map
    [edit system security-profile]
admin@host# set ls-design-profile idp-policy Recommended
Results

From configuration mode, confirm your configuration by entering the show security idp and show system security-profile ls-design-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
admin@host# show security idp
    idp-policy Recommended {
        ...
    }
[edit]
admin@host# show system security-profile ls-design-profile
    policy {
        ...
    }
    idp-policy Recommended;
logical-system ls-product-design;

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify the IDP policy assigned to the logical system.

Action

From operational mode, enter the show security idp logical-system policy-association command. Ensure that the IDP policy in the security profile that is bound to the logical system is correct.

content_copy zoom_out_map
admin@host> show security idp logical-system policy-association
Logical system         IDP policy 
ls-product-design      Recommended

See Also

Example: Enabling IDP in a User Logical System Security Policy

This example shows how to enable IDP in a security policy in a user logical system.

Requirements

Before you begin:

Overview

In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You enable IDP in a security policy that matches any traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone. Enabling IDP in a security policy directs matching traffic to be checked against the IDP rulebases.

Note:

This example uses the IDP policy configured and assigned to the ls-product-design user logical system by the primary administrator in Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match source-address any
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match destination-address any
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match application any
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp then permit application-services idp
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a security policy to enable IDP in a user logical system:

  1. Log in to the logical system as the user logical system administrator and enter configuration mode.

    content_copy zoom_out_map
    [edit]
lsdesignadmin1@host:ls-product-design>configure
lsdesignadmin1@host:ls-product-design#

  2. Configure a security policy that matches traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.

    content_copy zoom_out_map
    [edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]
lsdesignadmin1@host:ls-product-design# set policy enable-idp match source-address any
lsdesignadmin1@host:ls-product-design# set policy enable-idp match destination-address any
lsdesignadmin1@host:ls-product-design# set policy enable-idp match application any

  3. Configure the security policy to enable IDP for matching traffic.

    content_copy zoom_out_map
    [edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]
lsdesignadmin1@host:ls-product-design# set policy enable-idp then permit application-services idp
Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
[edit]
lsdesignadmin1@host:ls-product-design# show security policies 
    from-zone ls-product-design-untrust to-zone ls-product-design-trust {
        policy enable-idp {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        idp;
                    }
                }
            }
        }
        ...
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attack Matches

Purpose

Verify that attacks are being matched in network traffic.

Action

From operational mode, enter the show security idp attack table command.

content_copy zoom_out_map
admin@host> show security idp attack table
IDP attack statistics:
  Attack name                                 #Hits
  FTP:USER:ROOT                               1

See Also

Example: Configuring an IDP Policy for a User Logical System

This example shows how to configure and assign an IDP policy to a user logical system. After assigning the IDP policy, the traffic is sent from client to check for the attack detection on the configured custom attack.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 18.3R1 and later

  • an SRX4200 device

Before you configure IDP policy on user logical system:

Overview

In this example, you configure a custom attack that is used in an IDP policy. The IDP policy is specified and enabled using a security policy configured in the user logical system.

Configuration

To configure IDP in a user logical system:

Configuring a user logical system

CLI Quick Configuration
Step-by-Step Procedure

To configure a user logical system:

  1. Configure a user logical system.

    content_copy zoom_out_map
    [edit]
user@host# set logical-system LSYS1

  2. Exit from the configuration mode and enter to the operational mode.

    content_copy zoom_out_map
    user@host# exit

  3. Login as LSYS1 user to the user logical sytem and enter to configuration mode.

    content_copy zoom_out_map
    user@host> set cli logical-system LSYS1
user@host:LSYS1> edit
user@host:LSYS1#
Results

From configuration mode, confirm your configuration by entering the show logical-systems command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show logical-systems
    LSYS1 {
    }

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp custom-attack my-http severity info
set security idp custom-attack my-http attack-type signature protocol-binding application HTTP
set security idp custom-attack my-http attack-type signature context http-get-url
set security idp custom-attack my-http attack-type signature pattern .*test.*
set security idp custom-attack my-http attack-type signature direction any
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Log in to the user logical system as LSYS1 and enter configuration mode.

    content_copy zoom_out_map
    [edit]
user@host:LSYS1#

  2. Create the custom attack object and set the severity level.

    content_copy zoom_out_map
    [edit security idp]
user@host:LSYS1# set custom-attack my-http severity info

  3. Configure stateful signature parameters.

    content_copy zoom_out_map
    [edit security idp]
user@host:LSYS1# set custom-attack my-http attack-type signature protocol-binding application HTTP
user@host:LSYS1# set custom-attack my-http attack-type signature context http-get-url
user@host:LSYS1# set custom-attack my-http attack-type signature pattern .*test.*
user@host:LSYS1# set custom-attack my-http attack-type signature direction any
Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:LSYS1# show security idp custom-attack my-http
severity info;
    attack-type {
    signature {
        protocol-binding {
            application HTTP;
        }
        context http-get-url;
        pattern .*test.*;
        direction any;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy for the User Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match application default
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.

    content_copy zoom_out_map
    [edit security idp]
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http

  2. Configure actions for the IDP policy.

    content_copy zoom_out_map
    [edit security idp]
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action
user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine and show system security-profile master-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:LSYS1# show security idp idp-policy idpengine
rulebase-ips {
    rule 1 {
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                custom-attacks my-http;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Enabling IDP in a Security Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security policies from-zone z1 to-zone z2 policy p1 match source-address any 
set security policies from-zone z1 to-zone z2 policy p1 match destination-address any 
set security policies from-zone z1 to-zone z2 policy p1 match application any 
set security policies from-zone z1 to-zone z2 policy p1 then permit application-services idp-policy idpengine
Step-by-Step Procedure

To enable IDP in a security policy:

  1. Create the security policy and configure match conditions.

    content_copy zoom_out_map
    [edit security policies from-zone z1 to-zone z2]
user@host:LSYS1# set policy p1 match source-address any
user@host:LSYS1# set policy p1 match destination-address any
user@host:LSYS1# set policy p1 match application any

  2. Enable IDP.

    content_copy zoom_out_map
    [edit security policies from-zone z1 to-zone z2]
user@host:LSYS1# set policy p1 then permit application-services idp-policy idpengine
Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:LSYS1# show security policies
from-zone z1 to-zone z2 {
    policy p1{
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp-policy idpengine;
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To send traffic and check for attack detection from user logical system:

Verifying Attack Detection

Purpose

Verify that attack detection is happening for the custom attack.

Action

From operational mode, enter the show security idp attack table command.

content_copy zoom_out_map
user@host:LSYS1> show security idp policies
 PIC : FPC 0 PIC 0:
ID    Name                   Sessions    Memory      Detector
 1     idpengine              0           188584      12.6.130180509
content_copy zoom_out_map
user@host:LSYS1> show security idp attack table
IDP attack statistics:

  Attack name                                  #Hits
  my-http							                         1
Meaning

The output displays the attacks detected for the custom attack that is configured in the IDP policy in the user logical system LSYS1.

See Also

arrow_backward PREVIOUS Content Security for Logical Systems
NEXT arrow_forward ALG for Logical Systems
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top