- play_arrow Overview
- play_arrow Logical Systems
- Logical Systems Overview
- Primary Logical Systems Overview
- User Logical Systems Overview
- Setting Up a Logical System
- Security Profiles for Logical Systems
- CPU Allocation for Logical Systems
- Routing and Interfaces for Primary Logical Systems
- Routing, Interfaces, and NAT for User Logical Systems
- Security Zones in Logical Systems
- User Authentication for Logical Systems
- Security Policies for Logical Systems
- Screen Options for User Logical Systems
- Secure Wire for Logical Systems
- VPNs in Logical Systems
- Content Security for Logical Systems
- IDP for Logical Systems
- ALG for Logical Systems
- DHCP for Logical Systems
- Application Security in Logical Systems
- IPv6 for Logical Systems
- SSL Proxy for Logical Systems
- ICAP Redirects for Logical Systems
- AppQoS for Logical Systems
- Logical Systems in a Chassis Cluster
- Flow Trace for Logical Systems
- Example: Deleting a Logical System
- Troubleshooting Logical Systems
- play_arrow Configuration Statements and Operational Commands
IDP for Tenant Systems
An Intrusion Detection and Prevention (IDP) policy in tenant systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through an SRX Series Firewall. The SRX Series Firewalls offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks.
Understanding IDP for Tenant Systems
A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.
This topic includes the following sections:
IDP Policies
Configuring IDP policies at the root level and tenant systems level are similar. IDP policy templates configured at the root level are visible and used by all tenant systems. The primary administrator specifies an IDP policy in the security profile that is bound to a tenant system. To enable IDP in a tenant system, the primary administrator or tenant system administrator configures a security policy that defines the traffic to be inspected and specifies at the permit application-services idp-policy idp-policy-name hierarchy level.
The primary administrator can configure multiple IDP policies and a tenant system can have multiple IDP policies at a time. For tenant systems, the primary administrator can either bind the same IDP policy to multiple tenant systems or bind the necessary IDP policies to each tenant system. If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.
The primary administrator configures the number of maximum IDP sessions reservation for a primary logical system and tenant systems. The number of IDP sessions that are allowed for a primary logical system are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that are allowed for a tenant system are defined using the command set security idp tenant-system tenant-system max-sessions max-sessions.
The tenant system administrator performs the following actions:
Configure multiple IDP policies and attach to the firewall policies to be used by the tenant systems. If the IDP policy is not configured for a tenant system, the default IDP policy configured by the primary administrator is used. The IDP policy is bound to the tenant systems through a tenant systems security policy.
Create or modify IDP policies for their tenant system. The IDP policies are bound to tenant systems. When an IDP policy is changed, and commit fails, only the tenant system that has initiated the commit change is notified about the commit failure.
The tenant system administrator can create security zones in the tenant system and assign interfaces to each security zone. Zones that are specific to tenant systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.
View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual tenant system using the commands
show security idp counters,show security idp attack table,show security idp policies,show security idp policy-commit-status, andshow security idp security-package-version.
View the attack statistics detected and IDP counters, attack table, and policy commit status from the root using the commands show security idp counters counters tenant tenant-name, show security idp attack table tenant tenant-name, show security idp policies tenant tenant-name, show security idp policy-commit-status tenant tenant-name, and show security idp security-package-version tenant tenant-name.
Limitation
IDP policy compilation in Packet Forwarding Engine is done at global level. Any changes in policy made for a logical system or a tenant system results in the compilation of policies of all the logical systems or tenant systems because the IDP internally treats it as a single global policy.
Any changes in policy made for a logical system or a tenant system results in clearing the attack table of all logical systems or a tenant systems.
IDP Installation and Licensing for Tenant Systems
An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any tenant system on the device.
A single IDP security package is installed for all tenant systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all tenant systems.
Understanding IDP Features in Tenant Systems
This topic includes the following sections:
Rulebases
A single IDP policy can contain only one instance of any type of rulebase. The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.
Status monitoring for IPS is global to the device and not on a per tenant system basis.
Multi-Detectors
When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.
The version of the detector is common to all tenant systems.
Logging and Monitoring
Status monitoring options are available to the primary administrator only. All status monitoring options under the show security idp and clear security idp CLI operational commands present global information, but not on a per tenant system basis.
SNMP monitoring for IDP is not supported on tenant systems.
The tenant systems supports only the stream mode for syslog and does not support the event mode.
IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.
The tenant systems identification is added to the following types of IDP traffic processing logs:
Attack logs. The following example shows an attack log for the
TSYS1tenant system:content_copy zoom_out_map"<14>1 2019-02-18T02:17:56+05:30 4.0.0.254 pamba RT_IDP - - IDP_ATTACK_LOG_EVENT_LS: Lsys TSYS1: IDP: At 1550485076, SIG Attack log <4.0.0.1/51480->5.0.0.1/21> for TCP protocol and service SERVICE_IDP application FTP by rule 1 of rulebase IPS in policy new. attack: id=4641, repeat=0, action=NONE, threat-severity=MEDIUM, name=FTP:USER:ROOT, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:l1z1:xe-4/0/0.0->l1z2:xe-4/0/1.0, packet-log-id: 0, alert=no, username=N/A, roles=N/A and misc-message -
IP action logs. The following example shows an IP action log for the
TSYS1tenant system:content_copy zoom_out_map"<14>1 2019-02-19T02:21:43+05:30 4.0.0.254 pamba RT_FLOW - - FLOW_IP_ACTION_LS: Lsys TSYS1: Flow IP action detected attack attempt:4.0.0.1/51492 --> 5.0.0.1/21 from interface xe -4/0/0.0, from zone l1z1, action close. "<14>1 2019-02-19T02:21:45+05:30 4.0.0.254 pamba RT_FLOW - - APPTRACK_SESSION_CLOSE_LS: Lsys TSYS1: AppTrack session closed Closed by junos-tcp-clt-emul: 4.0.0.1/51492->5.0.0.1/ 21 junos-ftp FTP UNKNOWN 4.0.0.1/51492->5.0.0.1/21 N/A N/A 6 l1z1-l1z2 l1z1 l1z2 50000058 6(287) 5(281) 6 N/A N/A No N/A N/A VR1 xe-4/0/1.0 0 0 Infrastructure File-Servers N/A N/A
Example: Configuring IDP Policies and Attacks for Tenant Systems
This example shows how to configure IDP policies and attacks for tenant systems.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall configured with the tenant systems.
Junos OS Release 19.2R1 and later releases.
Before you configure IDP policies and attacks for tenant systems, be sure you have:
Read Tenant Systems Overview to understand how this task fits into the overall configuration process.
Create tenant system
TSYS1. See Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch.Create security zones for tenant system
TSYS1. See Example: Configuring Zones in the Tenant System.Log in to the tenant system as the tenant system administrator. See Tenant System Configuration Overview.
Overview
In this example you configure IDP custom attacks, policies, custom attack group, pre-defined attack and attack-group, and dynamic attack group in the tenant system TSYS1.
Configuration
- Configuring a Custom Attack
- Configuring an IDP Policy
- Configuring Multiple IDP Policies with a Default IDP Policy
- Configuring IDP Custom Attack Group
- Configuring Pre-defined Attack and Attack Group
- Configuring IDP Dynamic Attack Group
Configuring a Custom Attack
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp custom-attack my-http severity info set security idp custom-attack my-http attack-type signature protocol-binding application HTTP set security idp custom-attack my-http attack-type signature context http-get-url set security idp custom-attack my-http attack-type signature pattern .*testing.* set security idp custom-attack my-http attack-type signature direction any
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a custom attack object:
Create the custom attack object and set the severity level.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set custom-attack my-http severity info
Configure stateful signature parameters.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set custom-attack my-http attack-type signature protocol-binding application HTTP user@host:TSYS1# set custom-attack my-http attack-type signature context http-get-url user@host:TSYS1# set custom-attack my-http attack-type signature pattern .*testing.* user@host:TSYS1# set custom-attack my-http attack-type signature direction any
Results
From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp custom-attack my-http
severity info;
attack-type {
signature {
protocol-binding {
application HTTP;
}
context http-get-url;
pattern .*testing.*;
direction any;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring an IDP Policy
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine rulebase-ips rule 1 match application default set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure an IDP policy:
Create the IDP policy and configure match conditions.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
Configure actions for the IDP policy.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Results
From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
custom-attacks my-http;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Multiple IDP Policies with a Default IDP Policy
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine rulebase-ips rule 1 match application default set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks set security idp idp-policy idpengine1 rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine1 rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine1 rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine1 rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT set security idp idp-policy idpengine1 rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1 set security policies from-zone l1z1 to-zone l1z2 policy 2 match source-address any set security policies from-zone l1z1 to-zone l1z2 policy 2 match destination-address any set security policies from-zone l1z1 to-zone l1z2 policy 2 match application any set security policies from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP set security policies from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine set security idp default-policy idpengine1
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure multiple IDP policies:
Create multiple IDP policies and configure match conditions.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks
Configure security policies and attach IDP policies to them.
content_copy zoom_out_map[edit security policies] user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1 user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match source-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match destination-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match application any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine
Configure a default IDP policy.
Note:If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set default-policy idpengine1
Results
From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine, show security idp idp-policy idpengine1, show security policies, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attacks HTTP:AUDIT:URL;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
[edit]
user@host:TSYS1# show security idp idp-policy idpengine1
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
attacks {
predefined-attacks FTP:USER:ROOT;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
[edit]
user@host:TSYS1# show security policies
from-zone l1z1 to-zone l1z2 {
policy l1z1-l1z2 {
match {
source-address any;
destination-address any;
application any;
dynamic-application junos:FTP;
}
then {
permit {
application-services {
idp-policy idpengine1;
}
}
}
}
policy 2 {
match {
source-address any;
destination-address any;
application any;
dynamic-application junos:HTTP;
}
then {
permit {
application-services {
idp-policy idpengine;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring IDP Custom Attack Group
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks set security idp custom-attack customftp severity warning set security idp custom-attack customftp attack-type signature context ftp-username set security idp custom-attack customftp attack-type signature pattern .*guest.* set security idp custom-attack customftp attack-type signature direction client-to-server set security idp custom-attack-group cust-group group-members customftp set security idp custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP set security idp custom-attack-group cust-group group-members "FTP - Minor" set security idp custom-attack-group cust-group group-members dyn1 set security idp dynamic-attack-group dyn1 filters category values HTTP
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure IDP custom attack group:
Create the IDP policy.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group
Configure match condition of IDP policy.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Configure stateful signature parameters.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set security idp custom-attack customftp severity warning user@host:TSYS1# set custom-attack customftp attack-type signature context ftp-username user@host:TSYS1# set custom-attack customftp attack-type signature pattern .*guest.* user@host:TSYS1# set custom-attack customftp attack-type signature direction client-to-server user@host:TSYS1# set custom-attack-group cust-group group-members customftp user@host:TSYS1# set custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP user@host:TSYS1# set custom-attack-group cust-group group-members "FTP - Minor" user@host:TSYS1# set custom-attack-group cust-group group-members dyn1 user@host:TSYS1# set dynamic-attack-group dyn1 filters category values HTTP
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp
idp-policy idpengine {
rulebase-ips {
rule 1 {
match {
attacks {
custom-attack-groups cust-group;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
custom-attack customftp {
severity warning;
attack-type {
signature {
context ftp-username;
pattern .*guest.*;
direction client-to-server;
}
}
}
custom-attack-group cust-group {
group-members [ customftp ICMP:INFO:TIMESTAMP "FTP - Minor" dyn1 ];
}
dynamic-attack-group dyn1 {
filters {
category {
values HTTP;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Pre-defined Attack and Attack Group
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the pre-defined attack and attack group:
Configure the pre-defined attack.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
Configure the pre-defined attack group.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
Results
From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
rule 1 {
match {
attacks {
predefined-attacks FTP:USER:ROOT;
predefined-attack-groups "HTTP - All";
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring IDP Dynamic Attack Group
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security idp dynamic-attack-group dyn1 filters direction values server-to-client
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure IDP dynamic attack group:
Configure dynamic attack group parameter.
content_copy zoom_out_map[edit security idp] user@host:TSYS1# set dynamic-attack-group dyn1 filters direction values server-to-client
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host:TSYS1# show security idp
dynamic-attack-group dyn1 {
filters {
direction {
values server-to-client;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verify IDP Policies and Commit Status
Purpose
Verify that the IDP policies and commit status is displayed after policy compilation for the tenant system TSYS1.
Action
From operational mode, enter the show security idp policies command.
user@host:TSYS1> show security idp policies ID Name Sessions Memory Detector 1 idpengine 0 186024 12.6.130180122
From operational mode, enter the show security idp policy-commit-status command.
user@host:TSYS1> show security idp policy-commit-statusIDP policy[/var/db/idpd/bins//idp-policy-unified.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully. The loaded policy size is:2912 Bytes
Meaning
The output displays the IDP policy configured in the tenant system TSYS1 and the commit status information.
Verify IDP Attack Detection
Purpose
Verify that the IDP attack detection is successful for the tenant system TSYS1 and displayed in the attack table.
Action
From operational mode, enter the show security idp attack table command.
user@host:TSYS1> show security idp attack table IDP attack statistics: Attack name #Hits my-http 1
Meaning
The output displays the attacks detected for the custom attack that is configured in the tenant system TSYS1.
Verify IDP Counters
Purpose
Verify one of the IDP counter status is displayed for the tenant system TSYS1.
Action
From operational mode, enter the show security idp counters flow command.
user@host:TSYS1> show security idp counters flow IDP counters: IDP counter type Value Fast-path packets 38 Slow-path packets 1 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 1 Policy cache entries 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 1 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 1 Policy init failed 0 Policy reinit failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 1 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 2 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 1 SM Session Create 1 SM Packet Process 38 SM ftp data session ignored by idp 1 SM Session close 1 SM Client-to-server packets 15 SM Server-to-client packets 23 SM Client-to-server L7 bytes 99 SM Server-to-client L7 bytes 367 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Server-to-client flows tcp optimized 0 Client-to-server flows tcp optimized 0 Both directions flows ignored 1 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 NGAppID Events with no L7 App 0 NGAppID Events with no active-policy 0 NGAppID Detector failed from event handler 0 NGAppID Detector failed from API 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 37 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 0 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 0 IDP sessions detected mem drop below intel inspect low mem threshold 0
Meaning
The output displays the IDP counter flow status is displayed properly for the tenant system TSYS1.
