This article provides information on how to use predefined policy templates in an IDP policy.
For other IDP-related articles on SRX and J Series devices, refer to KB16561 - SRX Getting Started - Configure and Troubleshoot IDP on an SRX or J Series device.
There are several predefined signatures in the signature database.
JWeb Configuration
Download the latest IDP policy templates (such as "Recommended," "All with Logging," and so on) from the Juniper website.
For versions up to, but not including 12.3X48:
- Download the latest IDP policy templates (such as 'Recommended’, ‘All with Logging’, and so on) from the Juniper website:
- Select Configure > Security > Policy > Define IDP Policy.
-
Click the Template tab and select Download Template.
- Check the status by clicking the Check Status button.
The policy templates are downloaded to the directory /var/db/idpd/sec-download/sub-download
.
- After the template download has completed, install the templates:
-
From the same page, click Template, then click Install Template.
- Check the policy installation by clicking the Check Status > Install Status button.
The file will be installed into /var/db/scripts/commit/templates.xsl
.
-
Apply the template to the Junos OS config by selecting Template, then Load Template (commit not needed).
- After the template has been loaded, the predefined policy templates can be used. Go to Security > IDP > Policy to see the possible templates:
(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
-
You can set one of the predefined templates as the active policy, and also make changes to the policy. For example, to make the Recommended template as the active IDP policy, do the following:
- Highlight the Recommended policy from the Policy List.
-
Click the Activate button on the top right-hand side of the browser.
- When the policy is activated, you will see that there is an "Action" that needs to take place. Click Actions > Commit.
The IDP Policy Configuration page will now show the Recommended policy as "Active" with a green check mark next to it. Note that this does not mean that the policy has finished compiling from the commit. The only way to check this is with the operation command show security idp policy-commit-status
from the CLI:
root@SRX650> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:7059856 Bytes
PCRE converted patterns: 1067 pcre:1 hw:0
For versions 12.3X48 and later:
- Download the latest IDP policy templates (such as "Recommended," "All with Logging," and so on) from the Juniper website:
- Select Configure > Security > IDP > Policy.
-
Click the Template tab and select the Download Template item.
- Check the status by clicking the Check Status button.
The policy templates are downloaded to the directory /var/db/idpd/sec-download/sub-download
.
- After the template download has completed, install the templates:
-
From the same page, click Template, then Install Template.
- Check the policy installation by clicking the Check Status > Install Status button.
The file will be installed into /var/db/scripts/commit/templates.xsl
.
-
Apply the template into the Junos OS config, and then commit. From the previous step, click Template, then Load Template.
- Once the template has been loaded, the predefined policy templates can be used. Go to Security > IDP > Policy to see the possible templates.
(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
-
You can set one of the predefined templates as the active policy, and also make changes to the policy. For example, to make the Recommended template as the active IDP policy, do the following:
- Highlight the Recommended policy from the Policy List.
-
Click the Activate button on the top right-hand side of the browser.
- When the policy is activated, you will see that there is an "Action" that needs to take place. Click Actions > Commit.
The IDP Policy Configuration page will now show the Recommended policy as "Active" with a green check mark next to it. Note that this does not mean the policy has finished compiling from the commit. The only way to check this is with the operation command show security idp policy-commit-status
from the CLI:
root@SRX650> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:7059856 Bytes
PCRE converted patterns: 1067 pcre:1 hw:0
CLI Configuration (All Versions)
- Download the latest IDP policy templates (such as "Recommended," "All with Logging") from the Juniper Website by using the following command:
root@jSRX650> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Check the status with the
request security idp security-package download status
command:
root@SRX650> request security idp security-package download status
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:2528
- Install the template file:
root@SRX650> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Check the installation status with the
request security idp security-package install status
command:
root@SRX650> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
- Commit the
templates.xls
script to explode the policy templates (edit mode). Note that the security database already needs to be installed.
root@jSRX650# set system scripts commit file templates.xsl
[edit]
root@SRX650# commit
commit complete
- Once committed, the predefined templates can be used. Enter the following command to see the possible templates. You can set one of the predefined templates as the active policy, and also make changes to the policy.
(Note: Refer to TSB16412 - Juniper updating built-in IDP policy templates in attackDB update and KB29111 - Updated IDP policy templates for updated IDP policy templates.)
root# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
For example, to make the Recommended template as the active IDP policy, use the command:
root# set security idp active-policy Recommended
root# commit
2019-09-20: Article checked for accuracy, broken links fixed, formatting fixed