Knowledge Center Search


 

SRX Getting Started - Quick Setup Guide for Configuring IDP on a SRX or J-Series device

  [KB16489] Show KB Properties

  [KB16489] Hide KB Properties

Categories:
Knowledge Base ID: KB16489
Last Updated: 21 Oct 2013
Version: 4.0

Summary:

This article describes the steps involved in configuring IDP on a SRX device.

For other topics, go to the SRX Getting Started main page.

Problem or Goal:

Configure IDP

Cause:

Solution:
The basic configuration of IDP involves the following four tasks:

I.  Install IDP license

The IDP signature update is a subscription service requiring a license. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license.
  1. First, activate your subscription license by entering the authorization code and chassis serial number into the Subscription Registration system. Refer to KB9731 for more information. If you still need help, please contact  Customer Care for subscription and licensing issues.

  2. Then, install the license on the SRX in one of two ways -- automatically or manually:

    a. Automatically:  
    Confirm the SRX device has connectivity to the Internet.  Then run the following command:
     root> request system license update          

    OR

    b. Manually: 
    Licenses can also be loaded manually via JWeb, NSM, or using the CLI. The CLI command is as follows:

    root> request system license add terminal
    [Type ^D at a new line to end input,
    enter blank line between each license key]
    Paste the license key and press enter
    Type Ctrl+D

    The License key should be added successfully.

  3. Verify the license is installed using the command:
    root> show system license

    Check for feature 'idp-sig'.
NOTE: If running a Chassis Cluster, then the IDP license needs to be installed on both nodes.


II.  Download and install the Signature Database

After the IDP license is installed, the IDP Signature Database can be downloaded and installed by performing the following steps: 
  1. Confirm the device has the necessary configuration for connectivity to the Internet.

  2. Configure the signature database URL:

    root> edit
    set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
    root#commit

  3. Check the version of the signature database in the sigdb server.  Look for 'Successfully retrieved' . In this example, the version in the server is 1577.

    root> request security idp security-package download check-server
    Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
    Version info:1577(Detector=10.2.160091104, Templates=2)

  4. Download the signature database:

    root> request security idp security-package download

  5. Verify the progress of the download:               

    root> request security idp security-package download status

  6. root> request security idp security-package download status
    In progress:downloading file ...platforms.xml.gz

    root> request security idp security-package download status
    Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
    Version info:1586(Tue Jan 19 12:28:29 2010, Detector=10.2.160091104)


    Important:  When 'Successfully downloaded' is reported, proceed to the next step. If it is not successfully downloaded, the install will fail.

  7. Install the signature DB by running the command:

    root> request security idp security-package install  

  8. This command loads the security package into the IDPD embedded DB. If there is an existing running policy it re-compiles the existing running policy and pushes the compiled policy to the data plane. Therefore, the install might take a while depending on the platform and the size of the policy. Lower end Branch platforms might take a longer time for install.

  9. Monitor the status of the install with the command:

    root> request security idp security-package install status

    Done;Attack DB update : successful - [UpdateNumber=1581,ExportDate=Tue Jan 12 12:43:22 2010,Detector=10.2.160091104]
    Updating control-plane with new detector : successful
    Updating data-plane with new attack or detector : successful

    The 'UpdateNumber' field shows the version updated, the date when the signature db was released, and the detector version

  10. Verify the version of the sigdb installed:

    root> show security idp security-package-version
    Attack database version:1577(Tue Jan 5 13:27:18 2010)
    Detector version :10.2.160091104
    Policy template version :2
Tips:

III.  Configure Recommended Policy as the IDP Policy

Juniper Networks provides predefined policy templates that can be used as a starting point for creating your own IDP policies.  For getting started, it is recommended to use the predefined policy named 'Recommended':
  1. Load the predefined templates, and select the Recommended template as the Active IDP policy.  Refer to KB16490 for step by step instructions.

  2. Verify that the Active IDP Policy is 'Recommended'.  The Policy Name in the output below refers to the Active IDP Policy.

  3. root> show security idp status

    Session Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
      Policy Name : Recommended v0
     
    Running Detector Version : 10.2.160091104


  4. Perform the instructions below in the next section: 'IV.  Enable a Security Policy for IDP inspection'.
Tips:

IV.  Enable a Security Policy for IDP inspection

Once the IDP Policy is configured, IDP needs to be enabled on a security policy so that IDP inspection is performed.  This is done by permitting application-services while configuring a security policy.
            
For example, the following command forwards all traffic from-zone trust to-zone untrust to IDP to be checked against the IDP rulebase:           
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 match source-address any destination-address any application any
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 then permit application-services idp
      

Tips:


Purpose:
Configuration

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.