Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

IDP for Tenant Systems

date_range 28-Nov-23

An Intrusion Detection and Prevention (IDP) policy in tenant systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through an SRX Series Firewall. The SRX Series Firewalls offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks.

Understanding IDP for Tenant Systems

A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.

This topic includes the following sections:

IDP Policies

Configuring IDP policies at the root level and tenant systems level are similar. IDP policy templates configured at the root level are visible and used by all tenant systems. The primary administrator specifies an IDP policy in the security profile that is bound to a tenant system. To enable IDP in a tenant system, the primary administrator or tenant system administrator configures a security policy that defines the traffic to be inspected and specifies at the permit application-services idp-policy idp-policy-name hierarchy level.

The primary administrator can configure multiple IDP policies and a tenant system can have multiple IDP policies at a time. For tenant systems, the primary administrator can either bind the same IDP policy to multiple tenant systems or bind the necessary IDP policies to each tenant system. If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

The primary administrator configures the number of maximum IDP sessions reservation for a primary logical system and tenant systems. The number of IDP sessions that are allowed for a primary logical system are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that are allowed for a tenant system are defined using the command set security idp tenant-system tenant-system max-sessions max-sessions.

The tenant system administrator performs the following actions:

  • Configure multiple IDP policies and attach to the firewall policies to be used by the tenant systems. If the IDP policy is not configured for a tenant system, the default IDP policy configured by the primary administrator is used. The IDP policy is bound to the tenant systems through a tenant systems security policy.

  • Create or modify IDP policies for their tenant system. The IDP policies are bound to tenant systems. When an IDP policy is changed, and commit fails, only the tenant system that has initiated the commit change is notified about the commit failure.

  • The tenant system administrator can create security zones in the tenant system and assign interfaces to each security zone. Zones that are specific to tenant systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.

  • View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual tenant system using the commands show security idp counters, show security idp attack table, show security idp policies, show security idp policy-commit-status, and show security idp security-package-version.

View the attack statistics detected and IDP counters, attack table, and policy commit status from the root using the commands show security idp counters counters tenant tenant-name, show security idp attack table tenant tenant-name, show security idp policies tenant tenant-name, show security idp policy-commit-status tenant tenant-name, and show security idp security-package-version tenant tenant-name.

Limitation

  • IDP policy compilation in Packet Forwarding Engine is done at global level. Any changes in policy made for a logical system or a tenant system results in the compilation of policies of all the logical systems or tenant systems because the IDP internally treats it as a single global policy.

  • Any changes in policy made for a logical system or a tenant system results in clearing the attack table of all logical systems or a tenant systems.

IDP Installation and Licensing for Tenant Systems

An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any tenant system on the device.

A single IDP security package is installed for all tenant systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all tenant systems.

Understanding IDP Features in Tenant Systems

This topic includes the following sections:

Rulebases

A single IDP policy can contain only one instance of any type of rulebase. The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

Note:

Status monitoring for IPS is global to the device and not on a per tenant system basis.

Multi-Detectors

When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.

The version of the detector is common to all tenant systems.

Logging and Monitoring

Status monitoring options are available to the primary administrator only. All status monitoring options under the show security idp and clear security idp CLI operational commands present global information, but not on a per tenant system basis.

Note:
  • SNMP monitoring for IDP is not supported on tenant systems.

  • The tenant systems supports only the stream mode for syslog and does not support the event mode.

IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.

The tenant systems identification is added to the following types of IDP traffic processing logs:

  • Attack logs. The following example shows an attack log for the TSYS1 tenant system:

    content_copy zoom_out_map
    "<14>1 2019-02-18T02:17:56+05:30 4.0.0.254 pamba RT_IDP  - -  IDP_ATTACK_LOG_EVENT_LS: Lsys TSYS1: IDP: At 1550485076, SIG Attack log <4.0.0.1/51480->5.0.0.1/21> for TCP protocol and service SERVICE_IDP application FTP by rule 1 of rulebase IPS in policy new. attack: id=4641, repeat=0, action=NONE, threat-severity=MEDIUM, name=FTP:USER:ROOT, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:l1z1:xe-4/0/0.0->l1z2:xe-4/0/1.0, packet-log-id: 0, alert=no, username=N/A, roles=N/A and misc-message -
  • IP action logs. The following example shows an IP action log for the TSYS1 tenant system:

    content_copy zoom_out_map
    "<14>1 2019-02-19T02:21:43+05:30 4.0.0.254 pamba RT_FLOW  - -  FLOW_IP_ACTION_LS: Lsys TSYS1: Flow IP action detected attack attempt:4.0.0.1/51492 --> 5.0.0.1/21 from interface xe        -4/0/0.0, from zone l1z1, action close.
    "<14>1 2019-02-19T02:21:45+05:30 4.0.0.254 pamba RT_FLOW  - -  APPTRACK_SESSION_CLOSE_LS: Lsys TSYS1: AppTrack session closed Closed by junos-tcp-clt-emul: 4.0.0.1/51492->5.0.0.1/        21 junos-ftp FTP UNKNOWN 4.0.0.1/51492->5.0.0.1/21 N/A N/A 6 l1z1-l1z2 l1z1 l1z2 50000058 6(287) 5(281) 6 N/A N/A No N/A N/A VR1 xe-4/0/1.0  0 0 Infrastructure File-Servers N/A         N/A
    

Example: Configuring IDP Policies and Attacks for Tenant Systems

This example shows how to configure IDP policies and attacks for tenant systems.

Requirements

This example uses the following hardware and software components:

  • SRX Series Firewall configured with the tenant systems.

  • Junos OS Release 19.2R1 and later releases.

Before you configure IDP policies and attacks for tenant systems, be sure you have:

Overview

In this example you configure IDP custom attacks, policies, custom attack group, pre-defined attack and attack-group, and dynamic attack group in the tenant system TSYS1.

Configuration

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp custom-attack my-http severity info
set security idp custom-attack my-http attack-type signature protocol-binding application HTTP
set security idp custom-attack my-http attack-type signature context http-get-url
set security idp custom-attack my-http attack-type signature pattern .*testing.*
set security idp custom-attack my-http attack-type signature direction any
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Create the custom attack object and set the severity level.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set custom-attack my-http severity info
    
  2. Configure stateful signature parameters.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set custom-attack my-http attack-type signature protocol-binding application HTTP
    user@host:TSYS1# set custom-attack my-http attack-type signature context http-get-url
    user@host:TSYS1# set custom-attack my-http attack-type signature pattern .*testing.*
    user@host:TSYS1# set custom-attack my-http attack-type signature direction any
    
Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp custom-attack my-http
severity info;
    attack-type {
    signature {
        protocol-binding {
            application HTTP;
        }
        context http-get-url;
        pattern .*testing.*;
        direction any;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match application default
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
    
  2. Configure actions for the IDP policy.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
    
Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
    rule 1 {
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                custom-attacks my-http;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring Multiple IDP Policies with a Default IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any
set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any
set security idp idp-policy idpengine rulebase-ips rule 1 match application default
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL
set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
set security idp idp-policy idpengine1 rulebase-ips rule 1 match from-zone any
set security idp idp-policy idpengine1 rulebase-ips rule 1 match source-address any
set security idp idp-policy idpengine1 rulebase-ips rule 1 match to-zone any
set security idp idp-policy idpengine1 rulebase-ips rule 1 match destination-address any
set security idp idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
set security idp idp-policy idpengine1 rulebase-ips rule 1 then action no-action
set security idp idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks
set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any
set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any
set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any
set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP
set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1
set security policies from-zone l1z1 to-zone l1z2 policy 2 match source-address any
set security policies from-zone l1z1 to-zone l1z2 policy 2 match destination-address any
set security policies from-zone l1z1 to-zone l1z2 policy 2 match application any
set security policies from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP
set security policies from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine
set security idp default-policy idpengine1
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure multiple IDP policies:

  1. Create multiple IDP policies and configure match conditions.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match from-zone any
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match source-address any
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match to-zone any
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match destination-address any
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then action no-action
    user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks
    
  2. Configure security policies and attach IDP policies to them.

    content_copy zoom_out_map
    [edit security policies]
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match source-address any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match destination-address any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match application any
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP
    user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine
    
  3. Configure a default IDP policy.

    Note:

    If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set default-policy idpengine1
    
Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine, show security idp idp-policy idpengine1, show security policies, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
    rule 1 {
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks HTTP:AUDIT:URL;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
        }
    }
}
content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp idp-policy idpengine1
rulebase-ips {
    rule 1 {
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            attacks {
                predefined-attacks FTP:USER:ROOT;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
        }
    }
}
content_copy zoom_out_map
[edit]
user@host:TSYS1# show security policies
from-zone l1z1 to-zone l1z2 {
    policy l1z1-l1z2 {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application junos:FTP;
        }
        then {
            permit {
                application-services {
                    idp-policy idpengine1;
                }
            }
        }
    }
    policy 2 {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application junos:HTTP;
        }
        then {
            permit {
                application-services {
                    idp-policy idpengine;
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring IDP Custom Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group
set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
set security idp custom-attack customftp severity warning
set security idp custom-attack customftp attack-type signature context ftp-username
set security idp custom-attack customftp attack-type signature pattern .*guest.*
set security idp custom-attack customftp attack-type signature direction client-to-server
set security idp custom-attack-group cust-group group-members customftp
set security idp custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP
set security idp custom-attack-group cust-group group-members "FTP - Minor"
set security idp custom-attack-group cust-group group-members dyn1
set security idp dynamic-attack-group dyn1 filters category values HTTP
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP custom attack group:

  1. Create the IDP policy.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group
    
  2. Configure match condition of IDP policy.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action
    user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
    
  3. Configure stateful signature parameters.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set security idp custom-attack customftp severity warning
    user@host:TSYS1# set custom-attack customftp attack-type signature context ftp-username
    user@host:TSYS1# set custom-attack customftp attack-type signature pattern .*guest.*
    user@host:TSYS1# set custom-attack customftp attack-type signature direction client-to-server
    user@host:TSYS1# set custom-attack-group cust-group group-members customftp
    user@host:TSYS1# set custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP
    user@host:TSYS1# set custom-attack-group cust-group group-members "FTP - Minor"
    user@host:TSYS1# set custom-attack-group cust-group group-members dyn1
    user@host:TSYS1# set dynamic-attack-group dyn1 filters category values HTTP
    
Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp
idp-policy idpengine {
    rulebase-ips {
        rule 1 {
            match {
                attacks {
                    custom-attack-groups cust-group;
                }
            }
            then {
                action {
                    no-action;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }
}
custom-attack customftp {
    severity warning;
    attack-type {
        signature {
            context ftp-username;
            pattern .*guest.*;
            direction client-to-server;
        }
    }
}
custom-attack-group cust-group {
    group-members [ customftp ICMP:INFO:TIMESTAMP "FTP - Minor" dyn1 ];
}
dynamic-attack-group dyn1 {
    filters {
        category {
            values HTTP;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring Pre-defined Attack and Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the pre-defined attack and attack group:

  1. Configure the pre-defined attack.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
    
  2. Configure the pre-defined attack group.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
    
Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp idp-policy idpengine
rulebase-ips {
    rule 1 {
        match {
            attacks {
                predefined-attacks FTP:USER:ROOT;
                predefined-attack-groups "HTTP - All";
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Configuring IDP Dynamic Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security idp dynamic-attack-group dyn1 filters direction values server-to-client
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP dynamic attack group:

  1. Configure dynamic attack group parameter.

    content_copy zoom_out_map
    [edit security idp]
    user@host:TSYS1# set dynamic-attack-group dyn1 filters direction values server-to-client
    
Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host:TSYS1# show security idp
dynamic-attack-group dyn1 {
    filters {
        direction {
            values server-to-client;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verify IDP Policies and Commit Status

Purpose

Verify that the IDP policies and commit status is displayed after policy compilation for the tenant system TSYS1.

Action

From operational mode, enter the show security idp policies command.

content_copy zoom_out_map
user@host:TSYS1> show security idp policies
ID    Name                   Sessions    Memory      Detector
 1     idpengine              0           186024      12.6.130180122

From operational mode, enter the show security idp policy-commit-status command.

content_copy zoom_out_map
user@host:TSYS1> show security idp policy-commit-statusIDP policy[/var/db/idpd/bins//idp-policy-unified.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:2912 Bytes
Meaning

The output displays the IDP policy configured in the tenant system TSYS1 and the commit status information.

Verify IDP Attack Detection

Purpose

Verify that the IDP attack detection is successful for the tenant system TSYS1 and displayed in the attack table.

Action

From operational mode, enter the show security idp attack table command.

content_copy zoom_out_map
user@host:TSYS1> show security idp attack table
IDP attack statistics:
  Attack name                                  #Hits
  my-http                                           1
Meaning

The output displays the attacks detected for the custom attack that is configured in the tenant system TSYS1.

Verify IDP Counters

Purpose

Verify one of the IDP counter status is displayed for the tenant system TSYS1.

Action

From operational mode, enter the show security idp counters flow command.

content_copy zoom_out_map
user@host:TSYS1> show security idp counters flow
IDP counters:

  IDP counter type                                                      Value
Fast-path packets                                                       38
Slow-path packets                                                       1
Session construction failed                                             0
Session limit reached                                                   0
Session inspection depth reached                                        0
Memory limit reached                                                    0
Not a new session                                                       0
Invalid index at ageout                                                 0
Packet logging                                                          0
Policy cache hits                                                       0
Policy cache misses                                                     1
Policy cache entries                                                    0
Maximum flow hash collisions                                            0
Flow hash collisions                                                    0
Gates added                                                             0
Gate matches                                                            0
Sessions deleted                                                        1
Sessions aged-out                                                       0
Sessions in-use while aged-out                                          0
TCP flows marked dead on RST/FIN                                        1
Policy init failed                                                      0
Policy reinit failed                                                    0
Number of times Sessions exceed high mark                               0
Number of times Sessions drop below low mark                            0
Memory of Sessions exceeds high mark                                    0
Memory of Sessions drops below low mark                                 0
SM Sessions encountered memory failures                                 0
SM Packets on sessions with  memory failures                            0
IDP session gate creation requests                                      0
IDP session gate creation acknowledgements                              0
IDP session gate hits                                                   0
IDP session gate timeouts                                               0
Number of times Sessions crossed the CPU threshold value that is set    0
Number of times Sessions crossed the CPU upper threshold                0
Sessions constructed                                                    1
SM Sessions ignored                                                     0
SM Sessions dropped                                                     0
SM Sessions interested                                                  2
SM Sessions not interested                                              0
SM Sessions interest error                                              0
Sessions destructed                                                     1
SM Session Create                                                       1
SM Packet Process                                                       38
SM ftp data session ignored by idp                                      1
SM Session close                                                        1
SM Client-to-server packets                                             15
SM Server-to-client packets                                             23
SM Client-to-server L7 bytes                                            99
SM Server-to-client L7 bytes                                            367
Client-to-server flows ignored                                          0
Server-to-client flows ignored                                          0
Server-to-client flows tcp optimized                                    0
Client-to-server flows tcp optimized                                    0
Both directions flows ignored                                           1
Fail-over sessions dropped                                              0
Sessions dropped due to no policy                                       0
IDP Stream Sessions dropped due to memory failure                       0
IDP Stream Sessions ignored due to memory failure                       0
IDP Stream Sessions closed due to memory failure                        0
IDP Stream Sessions accepted                                            0
IDP Stream Sessions constructed                                         0
IDP Stream Sessions destructed                                          0
IDP Stream Move Data                                                    0
IDP Stream Sessions ignored on JSF SSL Event                            0
IDP Stream Sessions not processed for no matching rules                 0
IDP Stream stbuf dropped                                                0
IDP Stream stbuf reinjected                                             0
Busy pkts from stream plugin                                            0
Busy pkts from pkt plugin                                               0
bad kpp                                                                 0
Lsys policy id lookup failed sessions                                   0
NGAppID Events with no L7 App                                           0
NGAppID Events with no active-policy                                    0
NGAppID Detector failed from event handler                              0
NGAppID Detector failed from API                                        0
Busy packets                                                            0
Busy packet Errors                                                      0
Dropped queued packets (async mode)                                     0
Dropped queued packets failed(async mode)                               0
Reinjected packets (async mode)                                         0
Reinjected packets failed(async mode)                                   0
AI saved processed packet                                               0
busy packet count incremented                                           0
busy packet count decremented                                           0
session destructed in pme                                               0
session destruct set in pme                                             0
kq op hold                                                              0
kq op drop                                                              0
kq op route                                                             0
kq op continue                                                          37
kq op error                                                             0
kq op stop                                                              0
PME wait not set                                                        0
PME wait set                                                            0
PME KQ run not called                                                   0
IDP sessions ignored for content decompression in intel inspect mode    0
IDP sessions ignored for bytes depth limit in intel inspect mode        0
IDP sessions ignored for protocol decoding in intel inspect mode        0
IDP sessions detected CPU usage crossed intel inspect CPU threshold     0
IDP sessions detected mem drop below intel inspect low mem threshold    0
Meaning

The output displays the IDP counter flow status is displayed properly for the tenant system TSYS1.

footer-navigation