The IDP signature update is a subscription service requiring a license. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license.
First, activate your subscription license by entering the authorization code and chassis serial number into the Subscription Registration system. Refer to KB9731 for more information. If you still need help, please contact Customer Care for subscription and licensing issues.
Then, install the license on the SRX in one of two ways -- automatically or manually:
a. Automatically: Confirm the SRX device has connectivity to the Internet. Then run the following command: root> request system license update
b. Manually: Licenses can also be loaded manually via JWeb, NSM, or using the CLI. The CLI command is as follows:
root> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] Paste the license key and press enter Type Ctrl+D
The License key should be added successfully.
Verify the license is installed using the command: root> show system license
Check for feature 'idp-sig'.
NOTE: If running a Chassis Cluster, then the IDP license needs to be installed on both nodes.
II. Download and install the Signature Database
After the IDP license is installed, the IDP Signature Database can be downloaded and installed by performing the following steps:
Confirm the device has the necessary configuration for connectivity to the Internet.
Configure the signature database URL:
root> edit set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi root#commit
Check the version of the signature database in the sigdb server. Look for 'Successfully retrieved' . In this example, the version in the server is 1577.
This command loads the security package into the IDPD embedded DB. If there is an existing running policy it re-compiles the existing running policy and pushes the compiled policy to the data plane. Therefore, the install might take a while depending on the platform and the size of the policy. Lower end Branch platforms might take a longer time for install.
Monitor the status of the install with the command:
root> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1581,ExportDate=Tue Jan 12 12:43:22 2010,Detector=10.2.160091104] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
The 'UpdateNumber' field shows the version updated, the date when the signature db was released, and the detector version
Verify the version of the sigdb installed:
root> show security idp security-package-version Attack database version:1577(Tue Jan 5 13:27:18 2010) Detector version :10.2.160091104 Policy template version :2
Refer to KB16491 for instructions on how to schedule the signature database download for automatic updates.
Refer to TN83 for instructions on how to perform offline sigdb download.
For additional information on the IDP Signature Database, refer to the Security Configuration Guide -- IDP Signature Database Chapter:
III. Configure Recommended Policy as the IDP Policy
Juniper Networks provides predefined policy templates that can be used as a starting point for creating your own IDP policies. For getting started, it is recommended to use the predefined policy named 'Recommended':
Load the predefined templates, and select the Recommended template as the Active IDP policy. Refer to KB16490 for step by step instructions.
Verify that the Active IDP Policy is 'Recommended'. The Policy Name in the output below refers to the Active IDP Policy.
root> show security idp status
Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name : Recommended v0 Running Detector Version : 10.2.160091104
Perform the instructions below in the next section: 'IV. Enable a Security Policy for IDP inspection'.
Refer to KB15374 on how to verify if the IDP Policy was compiled and loaded successfully to the dataplane.
IV. Enable a Security Policy for IDP inspection
Once the IDP Policy is configured, IDP needs to be enabled on a security policy so that IDP inspection is performed. This is done by permitting application-services while configuring a security policy.
For example, the following command forwards all traffic from-zone trust to-zone untrust to IDP to be checked against the IDP rulebase:
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 match source-address any destination-address any application any root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 then permit application-services idp