The IDP signature update is a subscription service requiring a license. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license.
Please refer to KB16675 details on obtaining and installing an IDP license for your SRX device.
II. Download and install the Signature Database
After the IDP license is installed, the IDP Signature Database can be downloaded and installed by performing the following steps:
Confirm the device has the necessary configuration for connectivity to the Internet.
Check the version of the signature database in the sigdb server. Look for 'Successfully retrieved' . In this example, the version in the server is 1577.
This command loads the security package into the IDPD embedded DB. If there is an existing running policy it re-compiles the existing running policy and pushes the compiled policy to the data plane. Therefore, the install might take a while depending on the platform and the size of the policy. Lower end Branch platforms might take a longer time for install.
Monitor the status of the install with the command:
root> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1581,ExportDate=Tue Jan 12 12:43:22 2010,Detector=10.2.160091104]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : successful
The 'UpdateNumber' field shows the version updated, the date when the signature db was released, and the detector version
Verify the version of the sigdb installed:
root> show security idp security-package-version
Attack database version:1577(Tue Jan 5 13:27:18 2010)
Detector version :10.2.160091104
Policy template version :2
Refer to KB16491 for instructions on how to schedule the signature database download for automatic updates.
Refer to TN83 for instructions on how to perform offline sigdb download.
III. Configure Recommended Policy as the IDP Policy
Juniper Networks provides predefined policy templates that can be used as a starting point for creating your own IDP policies. For getting started, it is recommended to use the predefined policy named 'Recommended':
Load the predefined templates, and select the Recommended template as the Active IDP policy. Refer to KB16490 for step by step instructions.
Verify that the Active IDP Policy is 'Recommended'. The Policy Name in the output below refers to the Active IDP Policy.
root> show security idp status
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name : Recommended v0 Running Detector Version : 10.2.160091104
Perform the instructions below in the next section: 'IV. Enable a Security Policy for IDP inspection'.
Refer to KB15374 on how to verify if the IDP Policy was compiled and loaded successfully to the dataplane.
IV. Enable a Security Policy for IDP inspection
Once the IDP Policy is configured, IDP needs to be enabled on a security policy so that IDP inspection is performed. This is done by permitting application-services while configuring a security policy.
For example, the following command forwards all traffic from-zone trust to-zone untrust to IDP to be checked against the IDP rulebase:
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 match source-address any destination-address any application any
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 then permit application-services idp
Once this is configured and traffic is flowing through the SRX, IDP inspection should be occurring. To verify, enter the command
root>show security idp status
The command output should show that the counters are non zero, verifying that the IDP engine is seeing traffic.