Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to use predefined policy templates in an IDP policy in SRX and J Series devices

0

0

Article ID: KB16490 KB Last Updated: 20 Sep 2019Version: 6.0
Summary:

This article provides information on how to use predefined policy templates in an IDP policy.

For other IDP-related articles on SRX and J Series devices, refer to KB16561 - SRX Getting Started - Configure and Troubleshoot IDP on an SRX or J Series device.

Symptoms:

There are several predefined signatures in the signature database.

  • How to start configuring an IDP policy? 

  • Is there a template that can be used as a starting point to configure an IDP policy?

Solution:

JWeb Configuration

Download the latest IDP policy templates (such as "Recommended," "All with Logging," and so on) from the Juniper website.

For versions up to, but not including 12.3X48:

  1. Download the latest IDP policy templates (such as 'Recommended’, ‘All with Logging’, and so on) from the Juniper website:
    1. Select Configure > Security > Policy > Define IDP Policy.
    2. Click the Template tab and select Download Template.

    3. Check the status by clicking the Check Status button.
The policy templates are downloaded to the directory /var/db/idpd/sec-download/sub-download.
  1. After the template download has completed, install the templates:
    1. From the same page, click Template, then click Install Template.

    2. Check the policy installation by clicking the Check Status > Install Status button.
The file will be installed into /var/db/scripts/commit/templates.xsl.
  1. Apply the template to the Junos OS config by selecting Template, then Load Template (commit not needed).

  2. After the template has been loaded, the predefined policy templates can be used. Go to Security > IDP > Policy to see the possible templates:

(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)

Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
  1. You can set one of the predefined templates as the active policy, and also make changes to the policy. For example, to make the Recommended template as the active IDP policy, do the following:

    1. Highlight the Recommended policy from the Policy List.
    2. Click the Activate button on the top right-hand side of the browser.

    3. When the policy is activated, you will see that there is an "Action" that needs to take place. Click Actions > Commit.

The IDP Policy Configuration page will now show the Recommended policy as "Active" with a green check mark next to it. Note that this does not mean that the policy has finished compiling from the commit. The only way to check this is with the operation command show security idp policy-commit-status from the CLI:

root@SRX650> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:7059856 Bytes
PCRE converted patterns: 1067 pcre:1 hw:0
 

For versions 12.3X48 and later:

  1. Download the latest IDP policy templates (such as "Recommended," "All with Logging," and so on) from the Juniper website:
    1. Select Configure > Security > IDP > Policy.
    2. Click the Template tab and select the Download Template item.

    3. Check the status by clicking the Check Status button.
The policy templates are downloaded to the directory /var/db/idpd/sec-download/sub-download.
  1. After the template download has completed, install the templates:
    1. From the same page, click Template, then Install Template.

    2. Check the policy installation by clicking the Check Status > Install Status button.
The file will be installed into /var/db/scripts/commit/templates.xsl.
  1. Apply the template into the Junos OS config, and then commit. From the previous step, click Template, then Load Template.

  2. Once the template has been loaded, the predefined policy templates can be used. Go to Security > IDP > Policy to see the possible templates.

(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)

Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
  1. You can set one of the predefined templates as the active policy, and also make changes to the policy. For example, to make the Recommended template as the active IDP policy, do the following:

    1. Highlight the Recommended policy from the Policy List.
    2. Click the Activate button on the top right-hand side of the browser.

    3. When the policy is activated, you will see that there is an "Action" that needs to take place. Click Actions > Commit.

The IDP Policy Configuration page will now show the Recommended policy as "Active" with a green check mark next to it. Note that this does not mean the policy has finished compiling from the commit. The only way to check this is with the operation command show security idp policy-commit-status from the CLI:

root@SRX650> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:7059856 Bytes
PCRE converted patterns: 1067 pcre:1 hw:0
 

CLI Configuration (All Versions)

  1. Download the latest IDP policy templates (such as "Recommended," "All with Logging") from the Juniper Website by using the following command:
root@jSRX650> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
  1. Check the status with the request security idp security-package download status command:
root@SRX650> request security idp security-package download status
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:2528
  1. Install the template file:
root@SRX650> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
  1. Check the installation status with the request security idp security-package install status command:
root@SRX650> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
  1. Commit the templates.xls script to explode the policy templates (edit mode). Note that the security database already needs to be installed.
root@jSRX650# set system scripts commit file templates.xsl

[edit]
root@SRX650# commit
commit complete
  1. Once committed, the predefined templates can be used. Enter the following command to see the possible templates. You can set one of the predefined templates as the active policy, and also make changes to the policy.

(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)

root# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
 

For example, to make the Recommended template as the active IDP policy, use the command:

root# set security idp active-policy Recommended
root# commit

Modification History:

2019-09-20: Article checked for accuracy, broken links fixed, formatting fixed

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search